Apache Allura™ / Tickets / #8362 Fix cookie lacking secure attribute

Kenton Taylor - 2020-05-29

kt/8362

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Description has changed:

Diff:

--- old
+++ new
@@ -1,3 +1,2 @@
-

 `Cookie “_session_id” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies`

status: open --> review

Description has changed:

Diff:

--- old
+++ new
@@ -1,2 +1 @@
-
 `Cookie “_session_id” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies`

status: review --> open

Dave Brondsema - 2020-05-29

Seeing same warning for memorable_forget. Probably site-notification cookie needs it too.

Allura can run without https, in fact that's the default for a docker develoment instance. And then setting secure flag on the cookie means it doesn't work and you can't submit any form successfully. Could check beaker.session.secure config and only do secure if that is secure. Or set SameSite=Strict, seems like that would be ok we don't need these cookies shared? But might be good to have cookies flagged as secure whenever possible anyway.`

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Kenton Taylor - 2020-06-02
  
  New rev includes
  memorable_forget and site-notification.
  Conditionally setting secure value based on the session.secure val
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Kenton Taylor - 2020-06-02

status: open --> review
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2020-06-08

status: review --> closed

Reviewer: Dave Brondsema
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2021-05-17

Milestone: unreleased --> v1.13.0
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Apache Allura™

Forge software for hosting software projects

Milestone

Searches

Help

#8362 Fix cookie lacking secure attribute

Discussion