tracker issue : CF-4201688

select a category, or use search below
(searches all categories and all time range)

CFCookie "samesite" support

| View in Tracker

Status/Resolution/Reason: To Fix//HasDependency

Reporter/Name(from Bugbase): James Moberg / James Moberg ()

Created: 03/22/2018

Components: Language, Cookie

Versions: 2016,11.0

Failure Type: Others

Found In Build/Fixed In Build: /

Priority/Frequency: Normal /

Locale/System: /

Vote Count: 18

I'd like to use the "samesite" cookie attribute w/CFCookie. (I would prefer not to have to write my own handler because I've encountered issues where setting a cookie wouldn't make it available to the ColdFusion application unless I set the cookie and then performed an additional web request.)

I had hoped that this attribute would already be supported in CF2016, but it appears that it's not. (I'm not sure if support is even currently planned for the upcoming beta.)

More information regarding "samesite" can be found here:


Refer also - CF-4202424



SameSite cookies are a new browser feature to help developers mitigate CSRF, they should be supported by CF in the CFCookie tag, and there should be settings for the session variables, eg in Application.cfc you should be able to do this: this.sessioncookie.samesite="lax/strict"; There should also be a CF Administrator setting to do the same. The CFCookie tag should support the samesite attribute, eg: <cfcookie samesite="lax"> or <cfcookie samesite="strict"> Info: Spec: Browser Support:
Comment by Peter F.
27795 | May 14, 2018 02:16:02 PM GMT
Important feature to help mitigate CSRF
Vote by Peter F.
27796 | May 14, 2018 02:18:56 PM GMT
This should be added to help us protect the visitors of our sites.
Vote by Miguel F.
27797 | May 14, 2018 03:09:13 PM GMT
+1 ...........
Vote by Aaron N.
27807 | May 14, 2018 11:14:42 PM GMT
FYI Tomcat 8.5.42 and Tomcat 9.0.21 have added support for same-site cookies, so it should be possible to implement this feature once you update Tomcat!
Comment by Peter F.
30905 | June 11, 2019 04:11:29 PM GMT
Hopefully "samesite", which is supported by 86.57% of browsers, will be implemented in ColdFusion 2016 before end-of-core on 2/17/2021. I was hoping that it would have been included in today's CF2016 patch 11, but didn't realize that Tomcat was the dependency that was holding everything up. (Tomcat added "samesite" support on June 4, 2019.)
Comment by James M.
30906 | June 11, 2019 05:01:51 PM GMT
Definitely an important feature. Please add!
Vote by Mosh T.
31298 | September 06, 2019 06:26:03 PM GMT
Please add this functionality
Vote by Ben F.
31777 | November 01, 2019 09:27:13 AM GMT
Definitely a must-do. It helps fight against Cross-Site Request Forgery.
Vote by A. B.
31778 | November 01, 2019 10:14:59 AM GMT
Could it be that ColdFusion 2018 implicitly supports samesite cookies? After all, ColdFusion 2018 runs on Tomcat 9.0.21, and this version of Tomcat has support for samesite cookies. See You would then think of something resembling the following in {CF_INSTANCE_DIR}/runtime/conf/context.xml <Context> <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="strict" /> </Context>
Comment by A. B.
31775 | November 01, 2019 11:01:28 AM GMT
"SameSite" will be more important very soon as Google Chrome will reject 3rdparty cookies if not configured properly. (ie, this will become a real "modernize or die" issue.) I tried responding, but I only saw an icon flash when I attempted to submit my response, so I posted it as a blog post. (This happened recently on the Adobe Community Forums too.) As a workaround, we're using a UDF to generate a "samesite" cookie.
Comment by James M.
31776 | November 01, 2019 03:35:25 PM GMT
Please add this functionality.
Vote by Moshe R.
31927 | December 04, 2019 09:46:22 PM GMT