X-CGP-ClamAV-Result: CLEAN
X-VirusScanner: Niversoft's CGPClamav Helper v1.25a (ClamAV 0.103.11/27198)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; d=selbstdenker.ag; s=mail;
	bh=cNA2XWLAovoaic6jiy7EuReAEvoqfTqm1s52kkz2d3o=;
	h=References:To:In-Reply-To:Subject:Date:Mime-Version:Content-Type:Message-Id
	:From; b=NGoUxT09+6abapMAtnRr2iNJTaXEEbwUC10sSFi3Y1TK4z3Oy56GG6c+6j3mlOjjgIlv
	M8tXThpFfTmwNLmuglcQiWfQYAGbM82aC5aCqHvQPjKrSSsfePL5E8U7Uci7Z5VHACoCp2qH9V6jY
	FSpthpgPo3nwhICYXQq3muWsXMWHnuDxLM9T43bBH/7gJNyzX4FZu3GBWJ6TNEgDbehgQGhda/cPQ
	hVoMwHIoZ482GnmfZIOOQNBnwOwrvs7E5MtEpszzUlm0B8dlXdcE949bPkYwmbLpWEA8TpZ3XBGtA
	m4pYht/Rn4Z45/qC6dCrbB+rhiPW/4rKcbkOmvEj5CA==
Return-Path: <josef@selbstdenker.ag>
Received: from [87.165.124.194] (HELO smtpclient.apple)
  by selbstdenker.ag (CommuniGate Pro SMTP 6.3.18)
  with ESMTPS id 32130839; Wed, 28 Feb 2024 09:39:05 +0100
From: Josef Burzler <josef@selbstdenker.ag>
Message-Id: <AC082A72-7155-456E-A943-DE9305B151D0@selbstdenker.ag>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_670DF204-7730-417B-B924-6A66585DA588"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Wed, 28 Feb 2024 09:38:55 +0100
Subject: Re: [WO-DEV] SameSite Cookie warning
In-Reply-To: <list-32127875@post.selbstdenker.com>
To: WebObjects & WOnder Development <webobjects-dev@wocommunity.org>
References: <list-32127875@post.selbstdenker.com>
X-Mailer: Apple Mail (2.3774.400.31)


--Apple-Mail=_670DF204-7730-417B-B924-6A66585DA588
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi Tim,

in my view you did describe what to do to avoid the browser warning with =
respect to =E2=80=9ESameSite=E2=80=9C.

However, after introducing =E2=80=9ESamSite=3Dstrict=E2=80=9C into one =
of our application, users complained that their sessions frequently were =
lost, i.e. they got logged out and had to log in again. Users were =
following links to the application (direct actions) which were listed =
within their internal WIKI-System. Their WIKI-system runs on a domain =
which differs from that of the WO-application. Due to the SameSite =
requirement, the session cookie could not be accessed and a new, =
unauthenticated session was created.=20
We had to revert to=20
	er.extensions.ERXSession.cookies.SameSite=3DNone
and adapt the custom code in =E2=80=9EERXApplication.addBalancerRouteCooki=
e=E2=80=9C to avoid this annoying problem.=20
To nonetheless keep good security of the system and avoid information =
disclosure through deep links into authorized sessions we configured =
whitelisting of referrers into our web server and employed a WAP to only =
allow trusted IPs and/or GeoIP.

Cheers, Josef


> Am 28.02.2024 um 00:26 schrieb D Tim Cummings <tim@triptera.com.au>:
>=20
> Hi all
>=20
> I am getting warnings in firefox developer tools when running =
WebObjects/Wonder application.
>=20
> Cookie =E2=80=9Cwosid=E2=80=9D does not have a proper =E2=80=9CSameSite=E2=
=80=9D attribute value. Soon, cookies without the =E2=80=9CSameSite=E2=80=9D=
 attribute or with an invalid value will be treated as =E2=80=9CLax=E2=80=9D=
. This means that the cookie will no longer be sent in third-party =
contexts. If your application depends on this cookie being available in =
such contexts, please add the =E2=80=9CSameSite=3DNone=E2=80=9C =
attribute to it. To know more about the =E2=80=9CSameSite=E2=80=9C =
attribute, read =
https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
>=20
> I am getting the same warning for "wosid", "woinst" and =
"routeid_myapp" cookies.
>=20
> It looks like I can set properties
>=20
> er.extensions.ERXSession.cookies.SameSite=3Dstrict
> er.extensions.ERXSession.useSecureSessionCookies=3Dtrue
>=20
> and that fixes the "wosid" and "woinst" cookies but not the =
"routeid_myapp" cookie.=20
>=20
> I can override ERXApplication.addBalancerRouteCookie(WOContext =
context) to apply the same settings but this seems like a bit of a hack =
considering the elegant solution available for the other two cookies. =
What are other people doing?
>=20
> Cheers
>=20
> Tim
>=20
>=20
>=20


--Apple-Mail=_670DF204-7730-417B-B924-6A66585DA588
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"overflow-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;">Hi =
Tim,<div><br></div><div><div>in my view you did describe what to do to =
avoid the browser warning with respect to =
=E2=80=9ESameSite=E2=80=9C.</div><div><br></div><div>However, after =
introducing =E2=80=9ESamSite=3Dstrict=E2=80=9C into one of our =
application, users complained that their sessions frequently were lost, =
i.e. they got logged out and had to log in again. Users were following =
links to the application (direct actions) which were listed within their =
internal WIKI-System. Their WIKI-system runs on a domain which differs =
from that of the WO-application. Due to the SameSite requirement, the =
session cookie could not be accessed and a new, unauthenticated session =
was created.&nbsp;</div><div>We had to revert to&nbsp;</div><div><span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	=
</span>er.extensions.ERXSession.cookies.SameSite=3DNone</div><div>and =
adapt the custom code in =E2=80=9EERXApplication.addBalancerRouteCookie=E2=
=80=9C to avoid this annoying problem.&nbsp;</div><div>To nonetheless =
keep good security of the system and avoid information disclosure =
through deep links into authorized sessions we configured whitelisting =
of referrers into&nbsp;<span style=3D"caret-color: rgb(0, 0, 0); color: =
rgb(0, 0, 0);">our web server</span><span style=3D"caret-color: rgb(0, =
0, 0); color: rgb(0, 0, 0);">&nbsp;</span>and employed a WAP to only =
allow trusted IPs and/or GeoIP.</div><div><br></div><div>Cheers, =
Josef</div><div><br></div><div><br><blockquote type=3D"cite"><div>Am =
28.02.2024 um 00:26 schrieb D Tim Cummings =
&lt;tim@triptera.com.au&gt;:</div><br =
class=3D"Apple-interchange-newline"><div>

 =20

    <meta http-equiv=3D"content-type" content=3D"text/html; =
charset=3DUTF-8">
 =20
  <div text=3D"#000000" bgcolor=3D"#FFFFFF"><p>Hi all <br>
    </p><p>I am getting warnings in firefox developer tools when running
      WebObjects/Wonder application.</p><p><i>Cookie =E2=80=9Cwosid=E2=80=9D=
 does not have a proper =E2=80=9CSameSite=E2=80=9D attribute
        value. Soon, cookies without the =E2=80=9CSameSite=E2=80=9D =
attribute or with an
        invalid value will be treated as =E2=80=9CLax=E2=80=9D. This =
means that the
        cookie will no longer be sent in third-party contexts. If your
        application depends on this cookie being available in such
        contexts, please add the =E2=80=9CSameSite=3DNone=E2=80=9C =
attribute to it. To
        know more about the =E2=80=9CSameSite=E2=80=9C attribute, read
        <a class=3D"moz-txt-link-freetext" =
href=3D"https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/Sam=
eSite">https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/Same=
Site</a></i></p><p>I am getting the same warning for "wosid", "woinst" =
and
      "routeid_myapp" cookies.<br>
    </p><p>It looks like I can set properties</p><p><font =
face=3D"monospace">er.extensions.ERXSession.cookies.SameSite=3Dstrict<br>
        =
er.extensions.ERXSession.useSecureSessionCookies=3Dtrue</font></p><p>and =
that fixes the "wosid" and "woinst" cookies but not the
      "routeid_myapp" cookie.&nbsp;</p><p>I can override =
ERXApplication.addBalancerRouteCookie(WOContext
      context) to apply the same settings but this seems like a bit of a
      hack considering the elegant solution available for the other two
      cookies. What are other people doing?</p><p>Cheers</p><p>Tim<br>
    </p><p><br>
    </p>
  </div>

</div></blockquote></div><br></div></body></html>=

--Apple-Mail=_670DF204-7730-417B-B924-6A66585DA588--