Mailing List webobjects-dev@wocommunity.org Messaggio #493
Da: D Tim Cummings <tim@triptera.com.au>
Oggetto: Re: [WO-DEV] Re: SameSite Cookie warning
Data: Wed, 28 Feb 2024 20:07:17 +1000
A: WebObjects & WOnder Development <webobjects-dev@wocommunity.org>
 Intestazione del messaggio

Testo originale del messaggio

Thanks Josef for sharing your experience. We don't have any links from different domains so that should not be a problem from us.

Tim

On 28/2/24 18:38, Josef Burzler wrote:
Hi Tim,

in my view you did describe what to do to avoid the browser warning with respect to „SameSite“.

However, after introducing „SamSite=strict“ into one of our application, users complained that their sessions frequently were lost, i.e. they got logged out and had to log in again. Users were following links to the application (direct actions) which were listed within their internal WIKI-System. Their WIKI-system runs on a domain which differs from that of the WO-application. Due to the SameSite requirement, the session cookie could not be accessed and a new, unauthenticated session was created. 
We had to revert to 
er.extensions.ERXSession.cookies.SameSite=None
and adapt the custom code in „ERXApplication.addBalancerRouteCookie“ to avoid this annoying problem. 
To nonetheless keep good security of the system and avoid information disclosure through deep links into authorized sessions we configured whitelisting of referrers into our web server and employed a WAP to only allow trusted IPs and/or GeoIP.

Cheers, Josef


Am 28.02.2024 um 00:26 schrieb D Tim Cummings <tim@triptera.com.au>:

Hi all

I am getting warnings in firefox developer tools when running WebObjects/Wonder application.

Cookie “wosid” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

I am getting the same warning for "wosid", "woinst" and "routeid_myapp" cookies.

It looks like I can set properties

er.extensions.ERXSession.cookies.SameSite=strict
er.extensions.ERXSession.useSecureSessionCookies=true

and that fixes the "wosid" and "woinst" cookies but not the "routeid_myapp" cookie. 

I can override ERXApplication.addBalancerRouteCookie(WOContext context) to apply the same settings but this seems like a bit of a hack considering the elegant solution available for the other two cookies. What are other people doing?

Cheers

Tim



Iscrizione modo messaggi Iscrizione modo riassunto Iscrizione modo index Cancella Scrivi al Listmaster