From 8d0a6b2674864c5605ac268de93c089cb6868afa Mon Sep 17 00:00:00 2001
From: Kevin Ansfield <kevin@lookingsideways.co.uk>
Date: Wed, 15 Apr 2020 10:51:47 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Fixed=20"View=20site"=20not=20lo?=
 =?UTF-8?q?gging=20into=20private=20sites=20with=20separate=20admin=20doma?=
 =?UTF-8?q?ins?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

no issue

- browsers now block cross-origin cookies unless they are explicitly set with `SameSite=none` and `Secure=true` options which was preventing the login request made by Ghost-Admin from working
- added an explicit `SameSite=none` option to the private site session cookie
- will only work when the front-end site is served over HTTPS - there's no way to get browsers to accept cross-origin cookies over HTTP
---
 core/frontend/apps/private-blogging/lib/middleware.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/frontend/apps/private-blogging/lib/middleware.js b/core/frontend/apps/private-blogging/lib/middleware.js
index 149e2a9fa8..734e04d05a 100644
--- a/core/frontend/apps/private-blogging/lib/middleware.js
+++ b/core/frontend/apps/private-blogging/lib/middleware.js
@@ -43,7 +43,8 @@ const privateBlogging = {
 
         return session({
             maxAge: constants.ONE_MONTH_MS,
-            signed: false
+            signed: false,
+            sameSite: 'none'
         })(req, res, next);
     },