Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

SameSite for CFCookie doesn't send None values

Description

So close! The fix here was incomplete: https://luceeserver.atlassian.net/browse/LDEV-1236

If you pass a value of 'Strict' to Same Site, it will appear in the cookie. If you pass a value of 'Lax', it will also appear in the cookie, like so:

With SameSite='Lax'

Set-Cookie: myCookie=qDfNCChMBWSOLgilSuwTH99rpIH8sA33ehYwrfnXy2A;Path=/;Domain=.example.com;Expires=Fri, 31-Jul-2020 23:25:08 UTC;Secure;HTTPOnly;SameSite=Lax

However, if you pass the value of 'None', which is supported according to the spec, Lucee decides to OMIT the SameSite attribute entirely.

With SameSite='None'

Set-Cookie: myCookie=itCr81d0-iSN0nNsCvXcBoAKDMlNdnnOb3knr199vlc;Path=/;Domain=.example.com;Expires=Fri, 31-Jul-2020 23:24:05 UTC;Secure;HTTPOnly

This is incorrect, for reasons explained here:

https://web.dev/samesite-cookies-explained/?utm_source=devtools

Finally there is the option of not specifying the value which has previously been the way of implicitly stating that you want the cookie to be sent in all contexts. In the latest draft of RFC6265b is this is being made explicit by introducing a new value of SameSite=None. This means you can use None to clearly communicate that you intentionally want the cookie sent in a third-party context.

Explicitly mark the context of a cookie as None, Lax, or Strict.

Why wasn't this just a passthrough? Without being able to set a value of 'None' for valid third-party contexts, cfcookie will still fall prey to the Chrome changes.

See more about this here:

https://blog.heroku.com/chrome-changes-samesite-cookie

Environment

Tested in Lucee 5.3.7.34RC

Attachments

3
  • 20 Sept 2020, 03:26 pm
  • 20 Sept 2020, 03:14 pm
  • 07 Aug 2020, 11:52 am

Activity

Show:

Shawn Grigson 23 October 2020 at 16:21

Confirmed the fix in 5.3.7.43.

Nice work!

Pothys - MitrahSoft 21 September 2020 at 14:42

I've checked this ticket with 's PR. Before this PR, if we do not give samesite means then there is no samesite available. In this PR the default samesite is strict and also samesite "none" works fine. And yes the modern browsers need a secure attribute for "none" in samesite.

Michael Offner 21 September 2020 at 14:28

Michael Offner 21 September 2020 at 14:28

Zac Spitzer 20 September 2020 at 14:29
Edited

I have fixed the implementation

https://github.com/lucee/Lucee/pull/1044

<cfcookie name="lax" path="/" value="1" samesite="lax"> <cfcookie name="none" path="/" value="1" samesite="none"> <cfcookie name="strict" path="/" value="1" samesite="strict"> <cfcookie name="empty" path="/" value="1" samesite=""> <cfcookie name="without" path="/" value="1">

here’s a test patch against the latest 5.3.7.42-RC, just drop it it in C:\lucee\tomcat\lucee-server\deploy

 

Fixed

Details

Assignee

Reporter

Priority

Labels

Fix versions

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Affects versions

Created 31 July 2020 at 20:36
Updated 23 October 2020 at 16:21
Resolved 9 October 2020 at 13:17

Flag notifications