X-CGP-ClamAV-Result: CLEAN X-VirusScanner: Niversoft's CGPClamav Helper v1.25a (ClamAV 0.103.11/27199) X-Junk-Score: 0 [] X-KAS-Score: 0 [] Return-Path: Received: from mail.triptera.au ([175.45.182.215] verified) by post.selbstdenker.com (CommuniGate Pro SMTP 6.3.18) with ESMTPS id 32131368 for webobjects-dev@wocommunity.org; Wed, 28 Feb 2024 11:07:37 +0100 Received-SPF: pass receiver=post.selbstdenker.com; client-ip=175.45.182.215; envelope-from=tim@triptera.com.au Received: from localhost (localhost [127.0.0.1]) by mail.triptera.au (Postfix) with ESMTP id D1A34A0510 for ; Wed, 28 Feb 2024 20:07:22 +1000 (AEST) X-Virus-Scanned: Debian amavisd-new at mail.triptera.au Received: from mail.triptera.au ([127.0.0.1]) by localhost (mail.triptera.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 47_ALuLJTQyz for ; Wed, 28 Feb 2024 20:07:18 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=triptera.com.au; s=202212; t=1709114838; bh=oqP+YQ1afj4kqlgEtEQAOzq+YUIxU/+SbE1MixkwU30=; h=Date:Subject:To:References:From:In-Reply-To:From; b=sR+6Psw5xsWZHwbaRaEbsBMkOauq0hMSQIf8WwMn9DiLKkpYBJo9t5GQOMTDUs/th 2i/4X9Ye4abIPG0ctY6xPbrEYzHOzVOZC9ARxN4Wc/JwL8HgIzX73nInQO+QdW86IC QwyGIxkjLZdNykFmJPNOUczOjVbJNnnQQJQ2AUDuULmidEmkQyO+tm+0x//x/9sVK2 /9PMSaDTPyrUXXqylJ9Ho3J6BNSYLqsBX6imPgtjeBQMnqNLsv8JQJvea9GUVtC1ug ctquVeA6iaSkFvshUbdReuIsPEz5fApaBfEm5S/Qqv2cIDRyczKQHpN9PR7bFEr+P1 /E3hyt0vS2hrw== Content-Type: multipart/alternative; boundary="------------ed667Ojgq400qvgn6ULRr0XJ" Message-ID: <463e8fa4-dc6e-461c-ac41-9f7fc9e0b254@triptera.com.au> Date: Wed, 28 Feb 2024 20:07:17 +1000 MIME-Version: 1.0 Subject: Re: [WO-DEV] Re: SameSite Cookie warning To: WebObjects & WOnder Development References: Content-Language: en-AU From: D Tim Cummings Autocrypt: addr=tim@triptera.com.au; keydata= xsFNBFq0tuUBEADBtNgYk7i9klKGHU8MvSEBlXugZyGE9O07XCJ7R68HT/3XL4OXHYt1PBxM mrnvcyGom0+kGvd0Wp4EH7IM0QYCDelw0UzfASBlAAvgKrK6+MNBC6F8w5YNmT8T4wAoDaTH ChwFNqOoyqe1zFw2H17qFRuC4X0mQ6ArrEhtzGaYLtdAWHxOf8jft+LDSjSqIiLMqur/zfVv V4IJ8jY9rIZ04j1lLDGxvD+4iKlFVm1L9jdJZzMHjkB0zXIlCOboapky08kYZ4fS+PXCsJOz hNw1Bra6XH3rjIM2mPHDFyk+n+gii9z3UAE9VORcqDDl75J4dS7pNyUqPskHxIJQ8HOa7xVT gfHndwmYRIflURzbv5hpIDgN6E9YPz2ZTDTdy9VYwd4l+LEUNphPY+O13NV357VImOKOYLGM rYfYJMb6Wh8XwL6X4MSV956DkdWGS78HJ0CTyWm0s/sh/DG/bQfPLZuID7C9HWhHi98eliN1 V7lmK8rgiRK2eFjTKRxuy4U02GFskKoW4Ja/qqSG7/carUQKrvlJxRnTMnZ4Pu/LGOy9B6Ph ELHMm0srR786wJSeCHWvifoEUORVIBghlCtSkQSqeXG3fPk0zt/wfl63GkRfmwDe7WqHCSe2 5pwD553FpuSP1D6Trh9Ny4uleITxm+xkNAELimyonM95FWweqwARAQABzSREIFRpbSBDdW1t aW5ncyA8dGltQHRyaXB0ZXJhLmNvbS5hdT7CwZcEEwEKAEECGwMFCwkIBwMFFQoJCAsFFgID AQACHgECF4ACGQEWIQRl8aMTFErJeHdWmq5+9CzFgbhWGAUCYAqldwUJC0nYAAAKCRB+9CzF gbhWGClWD/4gDCT54EMrPMbpubf/+JdUwo6V8kLsJ6QxspGWQOtFcPdgjh3rkP65gWzpTka3 x68OFJCUBfMB5TeTE5alq/9v7g+BRExyj9oiXukbIgKXuBEUBD6aQCZbfFz/yvXUjVUKJ3J9 Ia/DNKiIpvXg0pv1df+ll5xxrzkGnDs4hstcoW3G3bRMfjgioj8FoQiRe8tRsvZ3Gy1fo7/W 0GYIcEe+GLQPs2sjeMxxwKRixI7C68O/9LnI6gVvwmgndQLNcS9S6lBvI/JIXpozFXYK7Z6o vjdi5Q+s82b0okEGw9uCmGhwN5wiH36d8fjm29QKxkyqyMsC0pe8KtRxY8Xn/v66He0X1Btk Jrq0pzbHnSxcqAOWA6jW/08/3R9fSt7eZfdlfwFpz8N0gQMS0JCU+PS/i9spq5lx1RC7lCTD hXeVWnZuS76y12bROdoyPmTXfOegzgyz1+VHTAPElq/lkRHFZ795526x7IOxTqf+aemptdSP 8ZgLy3j+JMtDf+hokJSmcu2Q3gW8SMZ6dIwkybFckazXTqO5K5jx7MpOTCn1oJhpYX2thN/p RWyqEaQoE/9v1VaNiHl1mNxSac12Io00Mw1swv8ZfCqcleTyPj7JNm4n1+FRa7SVz419k4+t MvUUn6HC9pbAbH8ozouS67TapNotPfdlWS3NVjPDQtJJEM7BTQRatLblARAA28WryHTE6AG7 /AGZwoCPiFz8D7iOoXLqWY/v0xc92m+52IfRbWnt31oMbfm3mBCSxn8XcRyiCkrL0GQ3l+1I T7ifRDXFOYx+scwNLfDt4x9QCxVdDh66Dc0xiB7eq+0qBYM2tmUfhh8ks/Ixqq+C+AfJXFcc sv8aFnDfSr/1a3nZg1cvBpfCkOiTKlr0teuVL/X9sYzU5hu4B6/dNoByZ/evDu+0+o/Wab3K QCMlmicNZ06qVCYspqikwNkn3WHtr0E1Noh30gKoKlC7RF2fGiGGKN9gdgocURn8Rg3oNs79 wbC+Z+G4oRQb8ckLmsecdmryTpfYJeQfRmamAixG80qHfCF0cPuyTt9iYBa2l83r7rFJa9ya 0eSDRLRjlgylhPSjMjTsWeXz5yh+SzTZbgHpvhZykj3BAcsCJNDbo/lOClX/cb2jh8hSwz60 luAFGDCT+naBSJL4aRFaoqPYQfqVrVQQZgzO+DCstOFV/Zx2f6tJ50E0wrIYyGGN5yloBV/N aTcHvkauwdJzdHe9thOy4aoEsgLQN2av07eUhrR015KSBjKgBain9ks6/OqMbXdRH8xZljEh ndwR1FmiDH4WodO6BukwjygbpukSl6yfj8SfeShr795eV0R5r2gMoAzb2fiJk1qPvF1R8dn/ yfvfvUjXcMUS+txzpnXkxu0AEQEAAcLBfAQYAQoAJgIbDBYhBGXxoxMUSsl4d1aarn70LMWB uFYYBQJhn/xuBQkLSdgAAAoJEH70LMWBuFYYZb8P/R3DVVUFFGXVoKnWSgN+D1d1R/V+Iwsd gxsiIS+0wL7rnjQ96K5KVBL/+knGo7a5kd6LpTpX6IlED7p5Q3mrS0/yUrLPuqCd0SjcZnc8 efrQPArdUy9/MJ70Kil5Hx5V0X0OVfQTteafT0qtoqtI7rFI8LNpRJXOUyjWNAojleB3Wso8 unyjHcTwp8FXNxejjJY3VUNn/rup1HDnCa70LPJgv3r16GPUShJ3pg4N6vPcCmx9qOPzhajJ sylCVO0/NowhOG2997mvYn4PavhaSZWm7ZQwHersWG7D86jYWu6fLNzL+BXhaBEh8VO8o7js nAV13EslB60ZOhkJJW0v+Uj1oY/vNRzlZoCIj1iFGw4gJroGN32ngqJzZMZUykfQBC0FsWtv 9Hkh3gme0nbH/4y0O0Opyz66wky6CXS6+3UnWeshExcLLYHhWBCxI73FC0nlbFcJGMunkY3b gsRxF0mQV0P3nWBBtcJ1uHcwDvKcacjr2mGB1nId2sBUeXtVR7C5rmpdYJqA4SjE/3QQ4XVj i/6qxN4nLYXGrPKogh7NA2RNWHUH4KUXGj/sxM+1oDkRcMwj8EIBjIe/TG0l3poAPevE7zBO sfqm+snNLFq7sqg3arEAF0x2uKHD4lwK8owIdY6684GJULjj45wsu57UEBkiVFssxVoEPQ4G SrmT In-Reply-To: This is a multi-part message in MIME format. --------------ed667Ojgq400qvgn6ULRr0XJ Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Thanks Josef for sharing your experience. We don't have any links from different domains so that should not be a problem from us. Tim On 28/2/24 18:38, Josef Burzler wrote: > Hi Tim, > > in my view you did describe what to do to avoid the browser warning > with respect to „SameSite“. > > However, after introducing „SamSite=strict“ into one of our > application, users complained that their sessions frequently were > lost, i.e. they got logged out and had to log in again. Users were > following links to the application (direct actions) which were listed > within their internal WIKI-System. Their WIKI-system runs on a domain > which differs from that of the WO-application. Due to the SameSite > requirement, the session cookie could not be accessed and a new, > unauthenticated session was created. > We had to revert to > er.extensions.ERXSession.cookies.SameSite=None > and adapt the custom code in „ERXApplication.addBalancerRouteCookie“ > to avoid this annoying problem. > To nonetheless keep good security of the system and avoid information > disclosure through deep links into authorized sessions we configured > whitelisting of referrers into our web serverand employed a WAP to > only allow trusted IPs and/or GeoIP. > > Cheers, Josef > > >> Am 28.02.2024 um 00:26 schrieb D Tim Cummings : >> >> Hi all >> >> I am getting warnings in firefox developer tools when running >> WebObjects/Wonder application. >> >> /Cookie “wosid” does not have a proper “SameSite” attribute value. >> Soon, cookies without the “SameSite” attribute or with an invalid >> value will be treated as “Lax”. This means that the cookie will no >> longer be sent in third-party contexts. If your application depends >> on this cookie being available in such contexts, please add the >> “SameSite=None“ attribute to it. To know more about the “SameSite“ >> attribute, read >> https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite/ >> >> I am getting the same warning for "wosid", "woinst" and >> "routeid_myapp" cookies. >> >> It looks like I can set properties >> >> er.extensions.ERXSession.cookies.SameSite=strict >> er.extensions.ERXSession.useSecureSessionCookies=true >> >> and that fixes the "wosid" and "woinst" cookies but not the >> "routeid_myapp" cookie. >> >> I can override ERXApplication.addBalancerRouteCookie(WOContext >> context) to apply the same settings but this seems like a bit of a >> hack considering the elegant solution available for the other two >> cookies. What are other people doing? >> >> Cheers >> >> Tim >> >> > --------------ed667Ojgq400qvgn6ULRr0XJ Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

Thanks Josef for sharing your experience. We don't have any links from different domains so that should not be a problem from us.

Tim

On 28/2/24 18:38, Josef Burzler wrote:
Hi Tim,

in my view you did describe what to do to avoid the browser warning with respect to „SameSite“.

However, after introducing „SamSite=strict“ into one of our application, users complained that their sessions frequently were lost, i.e. they got logged out and had to log in again. Users were following links to the application (direct actions) which were listed within their internal WIKI-System. Their WIKI-system runs on a domain which differs from that of the WO-application. Due to the SameSite requirement, the session cookie could not be accessed and a new, unauthenticated session was created. 
We had to revert to 
er.extensions.ERXSession.cookies.SameSite=None
and adapt the custom code in „ERXApplication.addBalancerRouteCookie“ to avoid this annoying problem. 
To nonetheless keep good security of the system and avoid information disclosure through deep links into authorized sessions we configured whitelisting of referrers into our web server and employed a WAP to only allow trusted IPs and/or GeoIP.

Cheers, Josef


Am 28.02.2024 um 00:26 schrieb D Tim Cummings <tim@triptera.com.au>:

Hi all

I am getting warnings in firefox developer tools when running WebObjects/Wonder application.

Cookie “wosid” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

I am getting the same warning for "wosid", "woinst" and "routeid_myapp" cookies.

It looks like I can set properties

er.extensions.ERXSession.cookies.SameSite=strict
er.extensions.ERXSession.useSecureSessionCookies=true

and that fixes the "wosid" and "woinst" cookies but not the "routeid_myapp" cookie. 

I can override ERXApplication.addBalancerRouteCookie(WOContext context) to apply the same settings but this seems like a bit of a hack considering the elegant solution available for the other two cookies. What are other people doing?

Cheers

Tim



--------------ed667Ojgq400qvgn6ULRr0XJ--