tracker issue : CF-4201688

select a category, or use search below
(searches all categories and all time range)
Title:

CFCookie "samesite" support

| View in Tracker

Status/Resolution/Reason: To Test//Fixed

Reporter/Name(from Bugbase): James Moberg / James Moberg ()

Created: 03/22/2018

Components: Language, Cookie

Versions: 2016,11.0

Failure Type: Others

Found In Build/Fixed In Build: /

Priority/Frequency: Normal /

Locale/System: /

Vote Count: 27

I'd like to use the "samesite" cookie attribute w/CFCookie. (I would prefer not to have to write my own handler because I've encountered issues where setting a cookie wouldn't make it available to the ColdFusion application unless I set the cookie and then performed an additional web request.)

I had hoped that this attribute would already be supported in CF2016, but it appears that it's not. (I'm not sure if support is even currently planned for the upcoming beta.)

More information regarding "samesite" can be found here:
 [https://caniuse.com/#feat=same-site-cookie-attribute]

 

Refer also - CF-4202424

Attachments:

Comments:

SameSite cookies are a new browser feature to help developers mitigate CSRF, they should be supported by CF in the CFCookie tag, and there should be settings for the session variables, eg in Application.cfc you should be able to do this: this.sessioncookie.samesite="lax/strict"; There should also be a CF Administrator setting to do the same. The CFCookie tag should support the samesite attribute, eg: <cfcookie samesite="lax"> or <cfcookie samesite="strict"> Info: https://www.owasp.org/index.php/SameSite Spec: https://tools.ietf.org/html/draft-west-first-party-cookies-07 Browser Support: https://caniuse.com/#search=samesite
Comment by Peter F.
27795 | May 14, 2018 02:16:02 PM GMT
Important feature to help mitigate CSRF
Vote by Peter F.
27796 | May 14, 2018 02:18:56 PM GMT
This should be added to help us protect the visitors of our sites.
Vote by Miguel F.
27797 | May 14, 2018 03:09:13 PM GMT
+1 ...........
Vote by Aaron N.
27807 | May 14, 2018 11:14:42 PM GMT
FYI Tomcat 8.5.42 http://tomcat.apache.org/tomcat-8.5-doc/changelog.html and Tomcat 9.0.21 http://tomcat.apache.org/tomcat-9.0-doc/changelog.html have added support for same-site cookies, so it should be possible to implement this feature once you update Tomcat!
Comment by Peter F.
30905 | June 11, 2019 04:11:29 PM GMT
Hopefully "samesite", which is supported by 86.57% of browsers, will be implemented in ColdFusion 2016 before end-of-core on 2/17/2021. I was hoping that it would have been included in today's CF2016 patch 11, but didn't realize that Tomcat was the dependency that was holding everything up. (Tomcat added "samesite" support on June 4, 2019.)
Comment by James M.
30906 | June 11, 2019 05:01:51 PM GMT
Definitely an important feature. Please add!
Vote by Mosh T.
31298 | September 06, 2019 06:26:03 PM GMT
Please add this functionality
Vote by Ben F.
31777 | November 01, 2019 09:27:13 AM GMT
Definitely a must-do. It helps fight against Cross-Site Request Forgery.
Vote by A. B.
31778 | November 01, 2019 10:14:59 AM GMT
Could it be that ColdFusion 2018 implicitly supports samesite cookies? After all, ColdFusion 2018 runs on Tomcat 9.0.21, and this version of Tomcat has support for samesite cookies. See https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html You would then think of something resembling the following in {CF_INSTANCE_DIR}/runtime/conf/context.xml <Context> <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="strict" /> </Context>
Comment by A. B.
31775 | November 01, 2019 11:01:28 AM GMT
"SameSite" will be more important very soon as Google Chrome will reject 3rdparty cookies if not configured properly. (ie, this will become a real "modernize or die" issue.) I tried responding, but I only saw an icon flash when I attempted to submit my response, so I posted it as a blog post. (This happened recently on the Adobe Community Forums too.) As a workaround, we're using a UDF to generate a "samesite" cookie. https://gamesover2600.tumblr.com/post/188744661844/coldfusion-setcookie-udf-supports-samesite
Comment by James M.
31776 | November 01, 2019 03:35:25 PM GMT
Please add this functionality.
Vote by Moshe R.
31927 | December 04, 2019 09:46:22 PM GMT
Google Chrome 80 Stable is scheduled to be released on Feb 4, 2020. https://www.chromestatus.com/features/schedule https://www.chromestatus.com/feature/5088147346030592 https://www.chromestatus.com/feature/5633521622188032 Can Adobe provide some sort of official response regarding their support for ColdFusion 2016 & 2018? This bug report currently indicates that it will be fixed in "Alpha" and has a "normal" priority.
Comment by James M.
32068 | December 26, 2019 05:58:39 PM GMT
Deadline with Chrome 80 is looming now - roll this out so any fixes have time to be implemented
Vote by Steve L.
32078 | December 27, 2019 01:27:56 AM GMT
We are currently adding samesite support and the same would be included as part of the next update.
Comment by Edwin S.
32069 | January 09, 2020 10:45:51 AM GMT
Edwin, can you please clarify if "next update" means the next update to cf2018 (and. 2016)? Or mght you mean only cf2020?
Comment by Charlie A.
32070 | January 09, 2020 11:09:17 AM GMT
Hi Charlie, we will be adding it for CF2020, CF2018 and CF2016 as well. 
Comment by Edwin S.
32071 | January 09, 2020 12:58:52 PM GMT
Thanks, Edwin. But will the support for cf2018 and 2016 be released in an update, before cf2020 is released, especially if cf2020 may not be released for some months? Again, we're less than a month from the change in chrome that could affect many, some quite detrimentally.
Comment by Charlie A.
32072 | January 13, 2020 01:40:35 PM GMT
Chrome's "samesite" browser update is in 20 days. Will the "next update" be released before or after all Adobe ColdFusion platforms that use a back-end ColdFusion API with different hostname are negatively impacted? Here's an article regarding it that was published 1/16/2020: https://webmasters.googleblog.com/2020/01/get-ready-for-new-samesitenone-secure.html Official instructions & examples for various platforms are listed here. Adobe ColdFusion is not listed. https://github.com/GoogleChromeLabs/samesite-examples I plan on recommended my UDF as a samte-site ColdFusion example unless anyone has a better workaround. https://gamesover2600.tumblr.com/post/188744661844/coldfusion-setcookie-udf-supports-samesite
Comment by James M.
32073 | January 17, 2020 02:30:54 PM GMT
Another option, should Adobe's update not be released in time, is to use some sort of HTTP request post processor to add the flag. For example, with IIS's URL ReWrite tool, you could use the following outbound rule: <rule name="Add SameSite Cookies Flag"> <match serverVariable="RESPONSE_Set-Cookie" pattern="^(.*)(=.*)$" /> <action type="Rewrite" value="{R:0}; SameSite=lax" /> </rule> Just note that this rule would apply to EVERY cookie that is set unless you were to modify the pattern to exclude some of them, etc.
Comment by Mosh T.
32074 | January 17, 2020 03:43:57 PM GMT
so whats the deal with this? i'm kinda worried about charlie saying 'we're less than a month from the change in chrome that could affect many, some quite detrimentally' and theres no response from adobe! this issue has been open since 2018 are there any articles on how best to deal with this change in coldfusion?
Comment by luke m.
32075 | January 29, 2020 11:53:37 AM GMT
The silence is deafening...
Comment by Sid W.
32076 | January 29, 2020 11:23:24 PM GMT
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html With Chrome 80 in February, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections. The Chrome Platform Status trackers for SameSite=None and Secure will continue to be updated with the latest launch information.
Comment by John W.
32077 | January 30, 2020 09:08:07 AM GMT
Just more info on it - we'd really like to see this implemented: https://web.dev/samesite-cookies-explained/ https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/
Comment by Matthew C.
32086 | February 04, 2020 04:56:56 PM GMT