Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No support for SameSite cookie directive #9440

Closed
3 of 4 tasks
dhensby opened this issue Mar 26, 2020 · 2 comments · Fixed by #10335
Closed
3 of 4 tasks

No support for SameSite cookie directive #9440

dhensby opened this issue Mar 26, 2020 · 2 comments · Fixed by #10335
Assignees
@emteknetnz
Labels
affects/v4 affects/v5 complexity/low impact/medium type/enhancement

Comments

@dhensby
Copy link
Contributor

dhensby commented Mar 26, 2020
edited by GuySartorelli
Loading

Affected Version

All versions

Description

Cookies support an additional directive SameSite which we have no way of supporting in the current Cookie implementation (due to lack of parameters).

This is a problem because sites running over HTTPS and in iframes need to explicitly set this directive otherwise the cookies are not set (including session cookies).

Further support for SameSite in php's cookie functions has been added in 7.3.0, so anyone running older versions of PHP is going to struggle unless we completely rework how we set cookies.

Further info https://web.dev/samesite-cookies-explained/

I've managed to hack this together on a site of mine to make sure it works, but it does involve disabling PHP's native cookie handling for sessions and also manually setting cookies via adding set-cookie headers rather than using PHP's setcookie API.

Acceptance criteria

  • Feedback on Matt's PR is addressed
  • People can opt-in to use this feature in when setting their cookies (i.e. set a different value other than the default)
  • Sensible explicit default value is provided (Lax, Strict or none)
  • Relevant doc is updated

Pull requests
@dhensby dhensby mentioned this issue Jun 17, 2020
Closed
@madmatt madmatt mentioned this issue Feb 3, 2021
Closed
@pine3ree pine3ree mentioned this issue Apr 21, 2021
Closed
@maxime-rainville
Copy link
Contributor

Seems like Matt's solution is pretty close to done. Might be worth taking this through a quick grooming to figure out what we want to do with it.

@GuySartorelli GuySartorelli self-assigned this May 26, 2022
@GuySartorelli
Copy link
Member

GuySartorelli commented May 26, 2022
edited
Loading

Matt's solution could have backwards compatibility concerns - there's another PR #9920 which takes the approach using config instead. I'm going to base a new PR off this, and in review we can discuss the merits and fallbacks.

I think for now having the ability to configure some value is better than nothing, and I'd like to avoid breaking anyone's custom cookie code (if, for example, someone implemented this in their own project, they may be subclassing some of our cookie classes and overriding the public methods, so any new parameters there would break their site). Adding it as a parameter would be a good exercise for a major.

@GuySartorelli GuySartorelli mentioned this issue May 26, 2022
Merged
@GuySartorelli GuySartorelli linked a pull request May 26, 2022 that will close this issue
ENH Add samesite attribute to cookies. #10335
Merged
@GuySartorelli GuySartorelli removed their assignment May 31, 2022
@GuySartorelli GuySartorelli removed their assignment Jun 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emteknetnz emteknetnz

Labels
affects/v4 affects/v5 complexity/low impact/medium type/enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ENH Add samesite attribute to cookies. creative-commoners/silverstripe-framework
5 participants
@bergice @dhensby @maxime-rainville @emteknetnz @GuySartorelli