Use Same-site: Lax

This is a guess based on a few articles I read where Windows Hello doesn't play nice with Same-Site: Strict. I have no credible evidence to back this up.
This commit is contained in:
Stanko K.R.
2026-03-24 15:17:05 +01:00
parent 1f63589d7e
commit c24d4fd7fd
@@ -24,7 +24,7 @@ class ActionPack::Passkey::ChallengesController < ActionController::Base
def create
challenge = create_passkey_challenge
cookies.encrypted[COOKIE_NAME] = { value: challenge, httponly: true, same_site: :strict, secure: !request.local? && request.ssl? }
cookies.encrypted[COOKIE_NAME] = { value: challenge, httponly: true, same_site: :lax, secure: !request.local? && request.ssl? }
render json: { challenge: challenge }
end