#8362 Fix cookie lacking secure attribute

unreleased
closed
None
General
2020-06-08
2020-05-29
No

Cookie “_session_id” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies

Discussion

  • Kenton Taylor

    Kenton Taylor - 2020-05-29

    kt/8362

     
  • Kenton Taylor

    Kenton Taylor - 2020-05-29
    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -1,3 +1,2 @@
    -
    
     `Cookie “_session_id” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies`
    
    • status: open --> review
     
  • Dave Brondsema

    Dave Brondsema - 2020-05-29
    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -1,2 +1 @@
    -
     `Cookie “_session_id” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies`
    
    • status: review --> open
     
  • Dave Brondsema

    Dave Brondsema - 2020-05-29

    Seeing same warning for memorable_forget. Probably site-notification cookie needs it too.

    Allura can run without https, in fact that's the default for a docker develoment instance. And then setting secure flag on the cookie means it doesn't work and you can't submit any form successfully. Could check beaker.session.secure config and only do secure if that is secure. Or set SameSite=Strict, seems like that would be ok we don't need these cookies shared? But might be good to have cookies flagged as secure whenever possible anyway.`

     
    • Kenton Taylor

      Kenton Taylor - 2020-06-02

      New rev includes
      memorable_forget and site-notification.
      Conditionally setting secure value based on the session.secure val

       
  • Kenton Taylor

    Kenton Taylor - 2020-06-02
    • status: open --> review
     
  • Dave Brondsema

    Dave Brondsema - 2020-06-08
    • status: review --> closed
    • Reviewer: Dave Brondsema
     

Log in to post a comment.