Skip to main content
Jdsplicer
Jdsplicer
Inspiring
March 11, 2020
Answered

jsessionid and SameSite=None for ColdFusion 10

  • March 11, 2020
  • 2 replies
  • 3495 views

Hi, I am running ColdFusion10 Enterprise and we found two of our sites vulnerable to the Chrome80 update for SameSite cookies. I have "Use J2EE session variables" checked and Session Cookie Settings set for HTTPOnly. The issue is our main site iframes this supporting site in and we get console message "A cookie associated with a cross-site resource at *Domain Name Here* was set without the `SameSite` attribute. It has been blocked". Since these are different domains it doesn't work. I am trying to find out if there is a way to set that SameSite value to "none" for the jsessionid cookie.  I tried a few things thru the Java and JVM settigs but nothing worked there and in fact actually hosed it up once and had to revert it. Any ideas/suggestions/solutions are greatly appreciated. Thanks.

 

    This topic has been closed for replies.
    Correct answer Charlie Arehart

    Gerald while Adobe is due to add samesite support in a coming update to cf2018 and 2016 (frustratingly late to the game), they will not be updating cf11 or earlier, as those are no longer updated.

     

    But here's good news, you can implement a solution yourself, by way of your web server and its rewrite feature. While most only conceive of that for modifying INCOMING requests, they can also manipulate OUTGOING responses. 

     

    In particular, they can modify the cookies created by cf (are any app server), and in fact our own Pete Freitag has written posts on how to do it in each of IIS and Apache, starting here:

     

    https://www.petefreitag.com/item/850.cfm

     

    Let's us know if that does the trick for you. 

    2 replies

    James Moberg
    James Moberg
    Inspiring
    March 11, 2020

    "SameSite" support was reported & requested over 2 years ago (CF-4201688 on 3/22/2018). Adobe finally responded on 1/9/2020 that SameSite support would be added to versions 2016, 2018 and 2020.  On 3/3 (after Chrome's Feb 2020 deadline), Adobe announced that they would be releasing the updates sometime during "Q2 2020".

    https://tracker.adobe.com/#/view/CF-4201688

     

    I wrote a SetCookie UDF (11/1/2019) which uses CFCookie and AttributeCollection to create a regular cookie (required to add to CF's "cookie" scope) and also a cookie response HTTP header to add the missing "samesite" support.
    https://gist.github.com/JamoCA/bc34e27704eac277fcaf7053c54912b6

     

        <cfset SetCookie(name="SAMESITECOOKIE", value="#Now()#", secure=true, httponly=true, samesite="lax")>

     

    Regarding the IIS Rewrite rule, please be aware that the samesite rule will apply to every cookie and this may not be desirable in every instance.  Be sure to test your application to ensure that it does what you want.

     

     

    Charlie Arehart
    Charlie ArehartCorrect answer
    Community Expert
    March 11, 2020

    Gerald while Adobe is due to add samesite support in a coming update to cf2018 and 2016 (frustratingly late to the game), they will not be updating cf11 or earlier, as those are no longer updated.

     

    But here's good news, you can implement a solution yourself, by way of your web server and its rewrite feature. While most only conceive of that for modifying INCOMING requests, they can also manipulate OUTGOING responses. 

     

    In particular, they can modify the cookies created by cf (are any app server), and in fact our own Pete Freitag has written posts on how to do it in each of IIS and Apache, starting here:

     

    https://www.petefreitag.com/item/850.cfm

     

    Let's us know if that does the trick for you. 

    /Charlie (troubleshooter, carehart. org)
      Jdsplicer
      JdsplicerAuthor
      Inspiring
      March 11, 2020

      Hey Charlie, thanks for the reply. I actually found that link a couple days ago but I only tried the web.config version with no luck. Turns out the server did not have the URL rewrite module installed (D'oh!) so I installed that on my IIS 8.5 version we are running. I then implemented the rule as Pete clearly shows. One mistake I made the first time was to use "SameSite=lax" which I quickly realized was wrong so I changed it to "SameSite=none" and restarted IIS (not sure if that step is necessary but it didn't hurt). I am glad to report that this process did INDEED fix my issue. Thanks Charlie for pointing me back to that link and thanks to Pete for the solution.

      Charlie Arehart
      Charlie Arehart
      Community Expert
      March 11, 2020

      Great to hear. Thanks for the update, and also for choosing the "correct answer" option. Hope it may help many others. 

      /Charlie (troubleshooter, carehart. org)
      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices