From eb3660a772c4b6da5a9f1e6bd3bf278559c844ed Mon Sep 17 00:00:00 2001
From: Rob Ede <robjtede@icloud.com>
Date: Sun, 11 Sep 2022 21:11:33 +0100
Subject: [PATCH] set same-site attribute when clearing session cookie (#284)

fixes #282
---
 actix-session/CHANGES.md        | 3 +++
 actix-session/src/middleware.rs | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/actix-session/CHANGES.md b/actix-session/CHANGES.md
index 6411b3970..2cac6b594 100644
--- a/actix-session/CHANGES.md
+++ b/actix-session/CHANGES.md
@@ -1,8 +1,11 @@
 # Changes
 
 ## Unreleased - 2021-xx-xx
+- Set SameSite attribute when adding a session removal cookie. [#284]
 - Minimum supported Rust version (MSRV) is now 1.59 due to transitive `time` dependency.
 
+[#284]: https://github.com/actix/actix-extras/pull/284
+
 
 ## 0.7.1 - 2022-07-24
 - Fix interaction between session state changes and renewal. [#265]
diff --git a/actix-session/src/middleware.rs b/actix-session/src/middleware.rs
index 3b0444fce..9a055c9fd 100644
--- a/actix-session/src/middleware.rs
+++ b/actix-session/src/middleware.rs
@@ -444,7 +444,8 @@ fn delete_session_cookie(
 ) -> Result<(), anyhow::Error> {
     let removal_cookie = Cookie::build(config.name.clone(), "")
         .path(config.path.clone())
-        .http_only(config.http_only);
+        .http_only(config.http_only)
+        .same_site(config.same_site);
 
     let mut removal_cookie = if let Some(ref domain) = config.domain {
         removal_cookie.domain(domain)