Hi, I am running ColdFusion10 Enterprise and we found two of our sites vulnerable to the Chrome80 update for SameSite cookies. I have "Use J2EE session variables" checked and Session Cookie Settings set for HTTPOnly. The issue is our main site iframes this supporting site in and we get console message "A cookie associated with a cross-site resource at *Domain Name Here* was set without the `SameSite` attribute. It has been blocked". Since these are different domains it doesn't work. I am trying to find out if there is a way to set that SameSite value to "none" for the jsessionid cookie. I tried a few things thru the Java and JVM settigs but nothing worked there and in fact actually hosed it up once and had to revert it. Any ideas/suggestions/solutions are greatly appreciated. Thanks.
1 Correct answer
Gerald while Adobe is due to add samesite support in a coming update to cf2018 and 2016 (frustratingly late to the game), they will not be updating cf11 or earlier, as those are no longer updated.
But here's good news, you can implement a solution yourself, by way of your web server and its rewrite feature. While most only conceive of that for modifying INCOMING requests, they can also manipulate OUTGOING responses.
In particular, they can modify the cookies created by cf (are any app serve
...
4
Replies
Hey Charlie, thanks for the reply. I actually found that link a couple days ago but I only tried the web.config version with no luck. Turns out the server did not have the URL rewrite module installed (D'oh!) so I installed that on my IIS 8.5 version we are running. I then implemented the rule as Pete clearly shows. One mistake I made the first time was to use "SameSite=lax" which I quickly realized was wrong so I changed it to "SameSite=none" and restarted IIS (not sure if that step is necessary but it didn't hurt). I am glad to report that this process did INDEED fix my issue. Thanks Charlie for pointing me back to that link and thanks to Pete for the solution.
AdChoices