Duplicate
Details
Assignee
UnassignedUnassignedReporter
Tim BTim BPriority
NewLabels
New Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Affects versions
Details
Details
Assignee
Unassigned
UnassignedReporter
Tim B
Tim B
Priority
NewLabels
New Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Affects versions
Created 5 August 2020 at 20:29
Updated 1 April 2021 at 16:16
Resolved 6 August 2020 at 05:51
Google announced is now requiring an explicit SameSite=None property in order to send cookies on cross site requests.
https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
https://web.dev/samesite-cookies-explained/
With Chrome 76, as described in the second link, with the same-site-by-default-cookies and cookies-without-same-site-must-be-secure flags set, 3rd party cookies from Lucee are no longer being sent unless SameSite=None; Secure was set on the cookie, which is not currently supported in Lucee.
Currently when you run the following code in Lucee with `sameSite = 'None'`:
cfcookie( name = "key", value = "value", domain = 'localtest.me', secure = true, httpOnly = true, sameSite = 'None' );Lucee sends the following to the browser:
"set-cookie" : "{key}={value};Path=/;Domain=localtest.me;Expires={date};Secure;HTTPOnly"It doesn't contain `SameSite=None`. It's just missing. This doesn't happen when sending `strict` or `lax`.
This is what it should look like with `SameSite=None` explicitly included:
"set-cookie" : "{key}={value};Path=/;Domain=localtest.me;Expires={date};SameSite=None;Secure;HTTPOnly"Please advise.