tracker issue : CF-4201688

select a category, or use search below
(searches all categories and all time range)

CFCookie "samesite" support

| View in Tracker

Status/Resolution/Reason: To Fix//HasDependency

Reporter/Name(from Bugbase): James Moberg / James Moberg ()

Created: 03/22/2018

Components: Language, Cookie

Versions: 2016,11.0

Failure Type: Others

Found In Build/Fixed In Build: /

Priority/Frequency: Normal /

Locale/System: /

Vote Count: 7

I'd like to use the "samesite" cookie attribute w/CFCookie. (I would prefer not to have to write my own handler because I've encountered issues where setting a cookie wouldn't make it available to the ColdFusion application unless I set the cookie and then performed an additional web request.)

I had hoped that this attribute would already be supported in CF2016, but it appears that it's not. (I'm not sure if support is even currently planned for the upcoming beta.)

More information regarding "samesite" can be found here:


Refer also - CF-4202424



SameSite cookies are a new browser feature to help developers mitigate CSRF, they should be supported by CF in the CFCookie tag, and there should be settings for the session variables, eg in Application.cfc you should be able to do this: this.sessioncookie.samesite="lax/strict"; There should also be a CF Administrator setting to do the same. The CFCookie tag should support the samesite attribute, eg: <cfcookie samesite="lax"> or <cfcookie samesite="strict"> Info: Spec: Browser Support:
Comment by Peter F.
27795 | May 14, 2018 02:16:02 PM GMT
Important feature to help mitigate CSRF
Vote by Peter F.
27796 | May 14, 2018 02:18:56 PM GMT
This should be added to help us protect the visitors of our sites.
Vote by Miguel F.
27797 | May 14, 2018 03:09:13 PM GMT
+1 ...........
Vote by Aaron N.
27807 | May 14, 2018 11:14:42 PM GMT