Mailing List webobjects-dev@wocommunity.org Message #492
From: Josef Burzler <josef@selbstdenker.ag>
Subject: Re: [WO-DEV] SameSite Cookie warning
Date: Wed, 28 Feb 2024 09:38:55 +0100
To: WebObjects & WOnder Development <webobjects-dev@wocommunity.org>
Hi Tim,

in my view you did describe what to do to avoid the browser warning with respect to „SameSite“.

However, after introducing „SamSite=strict“ into one of our application, users complained that their sessions frequently were lost, i.e. they got logged out and had to log in again. Users were following links to the application (direct actions) which were listed within their internal WIKI-System. Their WIKI-system runs on a domain which differs from that of the WO-application. Due to the SameSite requirement, the session cookie could not be accessed and a new, unauthenticated session was created. 
We had to revert to 
er.extensions.ERXSession.cookies.SameSite=None
and adapt the custom code in „ERXApplication.addBalancerRouteCookie“ to avoid this annoying problem. 
To nonetheless keep good security of the system and avoid information disclosure through deep links into authorized sessions we configured whitelisting of referrers into our web server and employed a WAP to only allow trusted IPs and/or GeoIP.

Cheers, Josef


Am 28.02.2024 um 00:26 schrieb D Tim Cummings <tim@triptera.com.au>:

Hi all

I am getting warnings in firefox developer tools when running WebObjects/Wonder application.

Cookie “wosid” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

I am getting the same warning for "wosid", "woinst" and "routeid_myapp" cookies.

It looks like I can set properties

er.extensions.ERXSession.cookies.SameSite=strict
er.extensions.ERXSession.useSecureSessionCookies=true

and that fixes the "wosid" and "woinst" cookies but not the "routeid_myapp" cookie. 

I can override ERXApplication.addBalancerRouteCookie(WOContext context) to apply the same settings but this seems like a bit of a hack considering the elegant solution available for the other two cookies. What are other people doing?

Cheers

Tim



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster