SameSite for CFCookie doesn't send None values


So close! The fix here was incomplete:

If you pass a value of 'Strict' to Same Site, it will appear in the cookie. If you pass a value of 'Lax', it will also appear in the cookie, like so:

With SameSite='Lax'

However, if you pass the value of 'None', which is supported according to the spec, Lucee decides to OMIT the SameSite attribute entirely.

With SameSite='None'

This is incorrect, for reasons explained here:

Finally there is the option of not specifying the value which has previously been the way of implicitly stating that you want the cookie to be sent in all contexts. In the latest draft of RFC6265b is this is being made explicit by introducing a new value of SameSite=None. This means you can use None to clearly communicate that you intentionally want the cookie sent in a third-party context.

Explicitly mark the context of a cookie as None, Lax, or Strict.

Why wasn't this just a passthrough? Without being able to set a value of 'None' for valid third-party contexts, cfcookie will still fall prey to the Chrome changes.

See more about this here:


Tested in Lucee


Zac Spitzer
September 20, 2020, 2:29 PM

I have fixed the implementation

here’s a test patch against the latest, just drop it it in C:\lucee\tomcat\lucee-server\deploy


Michael Offner
September 21, 2020, 2:28 PM


Michael Offner
September 21, 2020, 2:28 PM


Pothys - MitrahSoft
September 21, 2020, 2:42 PM

I've checked this ticket with 's PR. Before this PR, if we do not give samesite means then there is no samesite available. In this PR the default samesite is strict and also samesite "none" works fine. And yes the modern browsers need a secure attribute for "none" in samesite.

Shawn Grigson
October 23, 2020, 4:21 PM

Confirmed the fix in

Nice work!



Michael Offner


Shawn Grigson




Fix versions

Affects versions