#8362 Fix cookie lacking secure attribute

v1.13.0
closed
Kenton Taylor
None
General
Dave Brondsema
2021-05-17
2020-05-29
Kenton Taylor
No

Cookie “_session_id” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies

Discussion

  • Kenton Taylor - 2020-05-29

    kt/8362

     

  • Kenton Taylor - 2020-05-29
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -1,3 +1,2 @@
-

 `Cookie “_session_id” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies`
    • status: open --> review
     

  • Dave Brondsema

    Dave Brondsema - 2020-05-29
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -1,2 +1 @@
-
 `Cookie “_session_id” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies`
    • status: review --> open
     

  • Dave Brondsema

    Dave Brondsema - 2020-05-29

    Seeing same warning for memorable_forget. Probably site-notification cookie needs it too.

    Allura can run without https, in fact that's the default for a docker develoment instance. And then setting secure flag on the cookie means it doesn't work and you can't submit any form successfully. Could check beaker.session.secure config and only do secure if that is secure. Or set SameSite=Strict, seems like that would be ok we don't need these cookies shared? But might be good to have cookies flagged as secure whenever possible anyway.`

     

    • Kenton Taylor - 2020-06-02

      New rev includes
      * memorable_forget and site-notification.
      * Conditionally setting secure value based on the session.secure val

       

  • Kenton Taylor - 2020-06-02
    • status: open --> review
     

  • Dave Brondsema

    Dave Brondsema - 2020-06-08
    • status: review --> closed
    • Reviewer: Dave Brondsema
     

  • Dave Brondsema

    Dave Brondsema - 2021-05-17
    • Milestone: unreleased --> v1.13.0
     

Log in to post a comment.