Looks like this is actually unrelated to the aforementioned bug, since I can reproduce it against 1.8.4.dev that already contains the remember me fix. Investigating.
Side note: Please always create a bug report for any observed issues, it was pure coincidence that I fell over this on the forums.
edit Good or maybe bad news... this is a side effect of
SameSite=Strict that we now set on the Cookies by default. Quoting MDN:
Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
Prior to 1.8.3 we defaulted to an unset value, which MDN has this to say about:
Recent versions of modern browsers provide a more secure default for
SameSite to your cookies and so the following message might appear in your console:
Cookie "myCookie" has "SameSite" policy set to "Lax" because it is missing a "SameSite" attribute, and "SameSite=Lax" is the default value for this attribute.
The warning appears because the
SameSite policy for a cookie was not explicitly specified:
You should explicitly communicate the intended
SameSite policy for your cookie (rather than relying on browsers to apply
SameSite=Lax automatically). This will also improve the experience across browsers as not all of them default to
Set-Cookie: flavor=choco; SameSite=Lax
And then we read about that:
Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e., when following a link).
This is the default cookie value if
SameSite has not been explicitly specified in recent browser versions (see the "SameSite: Defaults to Lax" feature in the Browser Compatibility).
None as the default value in order to ensure that users have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.
I'll have to think about whether I want to default to
Lax here instead or not (currently slightly leaning towards not), however you can actually configure this if you want the old behaviour back: Editing
config.yaml and setting
lax should do it, which I just confirmed in a quick test.