Highlighted

jsessionid and SameSite=None for ColdFusion 10

Explorer ,
Mar 10, 2020

Copy link to clipboard

Copied

Hi, I am running ColdFusion10 Enterprise and we found two of our sites vulnerable to the Chrome80 update for SameSite cookies. I have "Use J2EE session variables" checked and Session Cookie Settings set for HTTPOnly. The issue is our main site iframes this supporting site in and we get console message "A cookie associated with a cross-site resource at *Domain Name Here* was set without the `SameSite` attribute. It has been blocked". Since these are different domains it doesn't work. I am trying to find out if there is a way to set that SameSite value to "none" for the jsessionid cookie.  I tried a few things thru the Java and JVM settigs but nothing worked there and in fact actually hosed it up once and had to revert it. Any ideas/suggestions/solutions are greatly appreciated. Thanks.

 

jsessionid.JPG

Adobe Community Professional
Correct answer by Charlie Arehart | Adobe Community Professional

Gerald while Adobe is due to add samesite support in a coming update to cf2018 and 2016 (frustratingly late to the game), they will not be updating cf11 or earlier, as those are no longer updated.

 

But here's good news, you can implement a solution yourself, by way of your web server and its rewrite feature. While most only conceive of that for modifying INCOMING requests, they can also manipulate OUTGOING responses. 

 

In particular, they can modify the cookies created by cf (are any app server), and in fact our own Pete Freitag has written posts on how to do it in each of IIS and Apache, starting here:

 

https://www.petefreitag.com/item/850.cfm

 

Let's us know if that does the trick for you. 

Views

1.5K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

jsessionid and SameSite=None for ColdFusion 10

Explorer ,
Mar 10, 2020

Copy link to clipboard

Copied

Hi, I am running ColdFusion10 Enterprise and we found two of our sites vulnerable to the Chrome80 update for SameSite cookies. I have "Use J2EE session variables" checked and Session Cookie Settings set for HTTPOnly. The issue is our main site iframes this supporting site in and we get console message "A cookie associated with a cross-site resource at *Domain Name Here* was set without the `SameSite` attribute. It has been blocked". Since these are different domains it doesn't work. I am trying to find out if there is a way to set that SameSite value to "none" for the jsessionid cookie.  I tried a few things thru the Java and JVM settigs but nothing worked there and in fact actually hosed it up once and had to revert it. Any ideas/suggestions/solutions are greatly appreciated. Thanks.

 

jsessionid.JPG

Adobe Community Professional
Correct answer by Charlie Arehart | Adobe Community Professional

Gerald while Adobe is due to add samesite support in a coming update to cf2018 and 2016 (frustratingly late to the game), they will not be updating cf11 or earlier, as those are no longer updated.

 

But here's good news, you can implement a solution yourself, by way of your web server and its rewrite feature. While most only conceive of that for modifying INCOMING requests, they can also manipulate OUTGOING responses. 

 

In particular, they can modify the cookies created by cf (are any app server), and in fact our own Pete Freitag has written posts on how to do it in each of IIS and Apache, starting here:

 

https://www.petefreitag.com/item/850.cfm

 

Let's us know if that does the trick for you. 

Views

1.5K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Mar 10, 2020 0
Adobe Community Professional ,
Mar 11, 2020

Copy link to clipboard

Copied

Gerald while Adobe is due to add samesite support in a coming update to cf2018 and 2016 (frustratingly late to the game), they will not be updating cf11 or earlier, as those are no longer updated.

 

But here's good news, you can implement a solution yourself, by way of your web server and its rewrite feature. While most only conceive of that for modifying INCOMING requests, they can also manipulate OUTGOING responses. 

 

In particular, they can modify the cookies created by cf (are any app server), and in fact our own Pete Freitag has written posts on how to do it in each of IIS and Apache, starting here:

 

https://www.petefreitag.com/item/850.cfm

 

Let's us know if that does the trick for you. 

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 11, 2020 1
Explorer ,
Mar 11, 2020

Copy link to clipboard

Copied

Hey Charlie, thanks for the reply. I actually found that link a couple days ago but I only tried the web.config version with no luck. Turns out the server did not have the URL rewrite module installed (D'oh!) so I installed that on my IIS 8.5 version we are running. I then implemented the rule as Pete clearly shows. One mistake I made the first time was to use "SameSite=lax" which I quickly realized was wrong so I changed it to "SameSite=none" and restarted IIS (not sure if that step is necessary but it didn't hurt). I am glad to report that this process did INDEED fix my issue. Thanks Charlie for pointing me back to that link and thanks to Pete for the solution.

jsessionid.JPG

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 11, 2020 0
Adobe Community Professional ,
Mar 11, 2020

Copy link to clipboard

Copied

Great to hear. Thanks for the update, and also for choosing the "correct answer" option. Hope it may help many others. 

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 11, 2020 0
Jamo LATEST
Engaged ,
Mar 11, 2020

Copy link to clipboard

Copied

"SameSite" support was reported & requested over 2 years ago (CF-4201688 on 3/22/2018). Adobe finally responded on 1/9/2020 that SameSite support would be added to versions 2016, 2018 and 2020.  On 3/3 (after Chrome's Feb 2020 deadline), Adobe announced that they would be releasing the updates sometime during "Q2 2020".

https://tracker.adobe.com/#/view/CF-4201688

 

I wrote a SetCookie UDF (11/1/2019) which uses CFCookie and AttributeCollection to create a regular cookie (required to add to CF's "cookie" scope) and also a cookie response HTTP header to add the missing "samesite" support.
https://gist.github.com/JamoCA/bc34e27704eac277fcaf7053c54912b6

 

    <cfset SetCookie(name="SAMESITECOOKIE", value="#Now()#", secure=true, httponly=true, samesite="lax")>

 

Regarding the IIS Rewrite rule, please be aware that the samesite rule will apply to every cookie and this may not be desirable in every instance.  Be sure to test your application to ensure that it does what you want.

 

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 11, 2020 0