Mailing List webobjects-dev@wocommunity.org Message #491
From: D Tim Cummings <tim@triptera.com.au>
Subject: SameSite Cookie warning
Date: Wed, 28 Feb 2024 09:26:19 +1000
To: WebObjects & WOnder Development <webobjects-dev@wocommunity.org>
 Message Header

Undecoded Message

Hi all

I am getting warnings in firefox developer tools when running WebObjects/Wonder application.

Cookie “wosid” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

I am getting the same warning for "wosid", "woinst" and "routeid_myapp" cookies.

It looks like I can set properties

er.extensions.ERXSession.cookies.SameSite=strict
er.extensions.ERXSession.useSecureSessionCookies=true

and that fixes the "wosid" and "woinst" cookies but not the "routeid_myapp" cookie. 

I can override ERXApplication.addBalancerRouteCookie(WOContext context) to apply the same settings but this seems like a bit of a hack considering the elegant solution available for the other two cookies. What are other people doing?

Cheers

Tim


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster