Setting cookie samesite to 'strict' breaks email password reset link functionality

[imbachb]

We tried to set the cookie samesite setting to 'strict' to improve the security of our website.

# framework.yaml
framework:
    session:
        cookie_samesite: strict

only to discover that clicking on password reset links from an email client (e.g. gmail) causes the process to fail.
As a workaround a user may have to copy and paste the link into a new browser tab.

Following lines seem to cause the issue:

#[Route('/reset/{token}', name: 'app_reset_password')]
public function reset(Request $request, UserPasswordHasherInterface $passwordHasher, TranslatorInterface $translator, string $token = null): Response
{
    if ($token) {
        // We store the token in session and remove it from the URL, to avoid the URL being
        // loaded in a browser and potentially leaking the token to 3rd party JavaScript.
        $this->storeTokenInSession($token);

        return $this->redirectToRoute('app_reset_password');
    }

    $token = $this->getTokenFromSession();
    if (null === $token) {
        throw $this->createNotFoundException('No reset password token found in the URL or in the session.');
    }

When clicking on the password reset link from an email client, then storing the token in the session and redirecting causes the session to be lost, as I assume the browser still treats the redirect as external. After the redirect $this->getTokenFromSession(); returns null, causing the HttpNotFoundException to be thrown.

I found that a similar issue was discovered here: silverstripe/silverstripe-framework#11565
with solutions silverstripe/silverstripe-framework#11668 and silverstripe/silverstripe-framework#11686.
Maybe a solution like this might also be interesting for this password reset bundle?

[weaverryan]

Maybe a solution like this might also be interesting for this password reset bundle?

Definitely! We're pretty busy at the moment. Can someone create a PR?