tracker issue : CF-4201688

select a category, or use search below
(searches all categories and all time range)
Title:

CFCookie "samesite" support

| View in Tracker

Status/Resolution/Reason: To Fix//HaveNewInfo

Reporter/Name(from Bugbase): James Moberg / James Moberg ()

Created: 03/22/2018

Components: Language, Cookie

Versions: 2016,11.0,2018

Failure Type: Others

Found In Build/Fixed In Build: / 318456, 318424

Priority/Frequency: Normal /

Locale/System: /

Vote Count: 30

I'd like to use the "samesite" cookie attribute w/CFCookie. (I would prefer not to have to write my own handler because I've encountered issues where setting a cookie wouldn't make it available to the ColdFusion application unless I set the cookie and then performed an additional web request.)

I had hoped that this attribute would already be supported in CF2016, but it appears that it's not. (I'm not sure if support is even currently planned for the upcoming beta.)

More information regarding "samesite" can be found here:
 [https://caniuse.com/#feat=same-site-cookie-attribute]

 

Refer also - CF-4202424

Attachments:

Comments:

SameSite cookies are a new browser feature to help developers mitigate CSRF, they should be supported by CF in the CFCookie tag, and there should be settings for the session variables, eg in Application.cfc you should be able to do this: this.sessioncookie.samesite="lax/strict"; There should also be a CF Administrator setting to do the same. The CFCookie tag should support the samesite attribute, eg: <cfcookie samesite="lax"> or <cfcookie samesite="strict"> Info: https://www.owasp.org/index.php/SameSite Spec: https://tools.ietf.org/html/draft-west-first-party-cookies-07 Browser Support: https://caniuse.com/#search=samesite
Comment by Peter F.
27795 | May 14, 2018 02:16:02 PM GMT
Important feature to help mitigate CSRF
Vote by Peter F.
27796 | May 14, 2018 02:18:56 PM GMT
This should be added to help us protect the visitors of our sites.
Vote by Miguel F.
27797 | May 14, 2018 03:09:13 PM GMT
+1 ...........
Vote by Aaron N.
27807 | May 14, 2018 11:14:42 PM GMT
FYI Tomcat 8.5.42 http://tomcat.apache.org/tomcat-8.5-doc/changelog.html and Tomcat 9.0.21 http://tomcat.apache.org/tomcat-9.0-doc/changelog.html have added support for same-site cookies, so it should be possible to implement this feature once you update Tomcat!
Comment by Peter F.
30905 | June 11, 2019 04:11:29 PM GMT
Hopefully "samesite", which is supported by 86.57% of browsers, will be implemented in ColdFusion 2016 before end-of-core on 2/17/2021. I was hoping that it would have been included in today's CF2016 patch 11, but didn't realize that Tomcat was the dependency that was holding everything up. (Tomcat added "samesite" support on June 4, 2019.)
Comment by James M.
30906 | June 11, 2019 05:01:51 PM GMT
Definitely an important feature. Please add!
Vote by Mosh T.
31298 | September 06, 2019 06:26:03 PM GMT
Please add this functionality
Vote by Ben F.
31777 | November 01, 2019 09:27:13 AM GMT
Definitely a must-do. It helps fight against Cross-Site Request Forgery.
Vote by A. B.
31778 | November 01, 2019 10:14:59 AM GMT
Could it be that ColdFusion 2018 implicitly supports samesite cookies? After all, ColdFusion 2018 runs on Tomcat 9.0.21, and this version of Tomcat has support for samesite cookies. See https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html You would then think of something resembling the following in {CF_INSTANCE_DIR}/runtime/conf/context.xml <Context> <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="strict" /> </Context>
Comment by A. B.
31775 | November 01, 2019 11:01:28 AM GMT
"SameSite" will be more important very soon as Google Chrome will reject 3rdparty cookies if not configured properly. (ie, this will become a real "modernize or die" issue.) I tried responding, but I only saw an icon flash when I attempted to submit my response, so I posted it as a blog post. (This happened recently on the Adobe Community Forums too.) As a workaround, we're using a UDF to generate a "samesite" cookie. https://gamesover2600.tumblr.com/post/188744661844/coldfusion-setcookie-udf-supports-samesite
Comment by James M.
31776 | November 01, 2019 03:35:25 PM GMT
Please add this functionality.
Vote by Moshe R.
31927 | December 04, 2019 09:46:22 PM GMT
Google Chrome 80 Stable is scheduled to be released on Feb 4, 2020. https://www.chromestatus.com/features/schedule https://www.chromestatus.com/feature/5088147346030592 https://www.chromestatus.com/feature/5633521622188032 Can Adobe provide some sort of official response regarding their support for ColdFusion 2016 & 2018? This bug report currently indicates that it will be fixed in "Alpha" and has a "normal" priority.
Comment by James M.
32068 | December 26, 2019 05:58:39 PM GMT
Deadline with Chrome 80 is looming now - roll this out so any fixes have time to be implemented
Vote by Steve L.
32078 | December 27, 2019 01:27:56 AM GMT
We are currently adding samesite support and the same would be included as part of the next update.
Comment by Edwin S.
32069 | January 09, 2020 10:45:51 AM GMT
Edwin, can you please clarify if "next update" means the next update to cf2018 (and. 2016)? Or mght you mean only cf2020?
Comment by Charlie A.
32070 | January 09, 2020 11:09:17 AM GMT
Hi Charlie, we will be adding it for CF2020, CF2018 and CF2016 as well. 
Comment by Edwin S.
32071 | January 09, 2020 12:58:52 PM GMT
Thanks, Edwin. But will the support for cf2018 and 2016 be released in an update, before cf2020 is released, especially if cf2020 may not be released for some months? Again, we're less than a month from the change in chrome that could affect many, some quite detrimentally.
Comment by Charlie A.
32072 | January 13, 2020 01:40:35 PM GMT
Chrome's "samesite" browser update is in 20 days. Will the "next update" be released before or after all Adobe ColdFusion platforms that use a back-end ColdFusion API with different hostname are negatively impacted? Here's an article regarding it that was published 1/16/2020: https://webmasters.googleblog.com/2020/01/get-ready-for-new-samesitenone-secure.html Official instructions & examples for various platforms are listed here. Adobe ColdFusion is not listed. https://github.com/GoogleChromeLabs/samesite-examples I plan on recommended my UDF as a samte-site ColdFusion example unless anyone has a better workaround. https://gamesover2600.tumblr.com/post/188744661844/coldfusion-setcookie-udf-supports-samesite
Comment by James M.
32073 | January 17, 2020 02:30:54 PM GMT
Another option, should Adobe's update not be released in time, is to use some sort of HTTP request post processor to add the flag. For example, with IIS's URL ReWrite tool, you could use the following outbound rule: <rule name="Add SameSite Cookies Flag"> <match serverVariable="RESPONSE_Set-Cookie" pattern="^(.*)(=.*)$" /> <action type="Rewrite" value="{R:0}; SameSite=lax" /> </rule> Just note that this rule would apply to EVERY cookie that is set unless you were to modify the pattern to exclude some of them, etc.
Comment by Mosh T.
32074 | January 17, 2020 03:43:57 PM GMT
so whats the deal with this? i'm kinda worried about charlie saying 'we're less than a month from the change in chrome that could affect many, some quite detrimentally' and theres no response from adobe! this issue has been open since 2018 are there any articles on how best to deal with this change in coldfusion?
Comment by luke m.
32075 | January 29, 2020 11:53:37 AM GMT
The silence is deafening...
Comment by Sid W.
32076 | January 29, 2020 11:23:24 PM GMT
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html With Chrome 80 in February, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections. The Chrome Platform Status trackers for SameSite=None and Secure will continue to be updated with the latest launch information.
Comment by John W.
32077 | January 30, 2020 09:08:07 AM GMT
Just more info on it - we'd really like to see this implemented: https://web.dev/samesite-cookies-explained/ https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/
Comment by Matthew C.
32086 | February 04, 2020 04:56:56 PM GMT
Here's status updates that I received on 2/24/2020: - Failure Type updated from 'Others' to an empty value. - Version updated to '13.0' What does this mean? I don't see this info reflected in any details above. Will this be released in Feb 2020? Will this be released for ColdFusion 2016?
Comment by James M.
33192 | February 25, 2020 03:28:43 PM GMT
This has been fixed and will be made available in the next bug-fix update cycle, due in Q2 2020.
Comment by Vamseekrishna N.
33233 | March 03, 2020 04:19:03 AM GMT
Chrome is starting to require the samesite attribute
Vote by Rafael S.
33274 | March 12, 2020 12:34:22 PM GMT
This is now an issue as Chrome blocks all cookies that require this attribute that are not on the same site. Which means that cookies are unusable in Chrome - we need a fix now! Is there a hot fix?
Comment by Toby W.
33306 | March 20, 2020 08:26:05 AM GMT
Hi All,   We have attached the patch for both CF2016 as well as CF2018 Request everyone to apply the patch and check if it covers all the scenarios.   The steps to apply the patch is shared in the zip file itself. Details are written in the file named Readme.txt How to use it in your code is also shared in the Readme.txt file present inside the zip   Thanks, Kailash
Comment by Kailash B.
33334 | March 24, 2020 10:43:54 AM GMT
The instructions in the CF2016.zip attachment are incorrect. I downloaded the instructions for CF2018 to contrast and compare in order to determine what to do. (CF2016 instructions indicate to backup 3 files and to only copy over 2 files.) Could you please update this?
Comment by James M.
33335 | March 24, 2020 02:30:02 PM GMT
Hi James,   Thanks for pointing it out. I have modified the Readme.txt. The files are still unchanged, just the description in Readme.txt has changed.   Thanks, Kailash
Comment by Kailash B.
33336 | March 25, 2020 08:18:04 AM GMT
This 3/24/2020 patch introduces a new bug. This throws an "The tag handler cookie does not have a setter for the attribute samesite specified in the Tag Library Descriptor." error. (This leads me to believe that the functionality wasn't fully tested in any production application before making the patch available.) <cfset CookieSettings = {name="test", value="#Now()#"}> <cfcookie attributecollection="#CookieSettings#">
Comment by James M.
33337 | March 29, 2020 10:47:02 AM GMT
False alarm... after further debugging, it appears that the update was not performed correctly. The "hf201600-4201688.Jar" file wasn't copied to the {INSTANCE_NAME}/lib/updates/ folder. (Interestingly enough, the simple absence of the "samesite" cookie was the only thing that triggered the error.)
Comment by James M.
33338 | March 29, 2020 11:09:14 AM GMT
Has anyone this bug fix to work? I am running CF2018 Enterprise ver. 2018.0.08.318307 on Websphere 9 and OS: RedHat Enterprise Linux 7.2. We applied hf201600-4201688 as the instructions stated; however, I noticed "Catalina.jar" file does not exists in any directory as I believe that is used on Tomcat. It doesn't appear that the samesite attribute of cfcookie works. Example: <cfcookie name="TEST" value="abc123" samesite="None"> Cookie Result: NAME: AMWEBJCT!%2Fjrtlappsdev!TEST VALUE: abc123 SAMESITE is empty Thanks.
Comment by Gerald D.
33339 | March 31, 2020 10:48:10 PM GMT
Hi Gerald, We are adding header from our side. If it is not being honoured, then Websphere might be processing the Set-Cookie headers to remove unexpected attributes. So they need to support as well Few application servers(including Tomcat) do not support samesite attribute on an individual cookie level. They have it as a server wide attribute. So even if we set the cookie on CF side, it could be overwritten by server level samesite value on the app server. 
Comment by Edwin S.
33340 | April 02, 2020 04:45:14 AM GMT