Hi, I am running ColdFusion10 Enterprise and we found two of our sites vulnerable to the Chrome80 update for SameSite cookies. I have "Use J2EE session variables" checked and Session Cookie Settings set for HTTPOnly. The issue is our main site iframes this supporting site in and we get console message "A cookie associated with a cross-site resource at *Domain Name Here* was set without the `SameSite` attribute. It has been blocked". Since these are different domains it doesn't work. I am trying to find out if there is a way to set that SameSite value to "none" for the jsessionid cookie. I tried a few things thru the Java and JVM settigs but nothing worked there and in fact actually hosed it up once and had to revert it. Any ideas/suggestions/solutions are greatly appreciated. Thanks.
Copy link to clipboard
Gerald while Adobe is due to add samesite support in a coming update to cf2018 and 2016 (frustratingly late to the game), they will not be updating cf11 or earlier, as those are no longer updated.
But here's good news, you can implement a solution yourself, by way of your web server and its rewrite feature. While most only conceive of that for modifying INCOMING requests, they can also manipulate OUTGOING responses.
In particular, they can modify the cookies created by cf (are any app server), and in fact our own Pete Freitag has written posts on how to do it in each of IIS and Apache, starting here:
Let's us know if that does the trick for you.
Hey Charlie, thanks for the reply. I actually found that link a couple days ago but I only tried the web.config version with no luck. Turns out the server did not have the URL rewrite module installed (D'oh!) so I installed that on my IIS 8.5 version we are running. I then implemented the rule as Pete clearly shows. One mistake I made the first time was to use "SameSite=lax" which I quickly realized was wrong so I changed it to "SameSite=none" and restarted IIS (not sure if that step is necessary but it didn't hurt). I am glad to report that this process did INDEED fix my issue. Thanks Charlie for pointing me back to that link and thanks to Pete for the solution.
Great to hear. Thanks for the update, and also for choosing the "correct answer" option. Hope it may help many others.
"SameSite" support was reported & requested over 2 years ago (CF-4201688 on 3/22/2018). Adobe finally responded on 1/9/2020 that SameSite support would be added to versions 2016, 2018 and 2020. On 3/3 (after Chrome's Feb 2020 deadline), Adobe announced that they would be releasing the updates sometime during "Q2 2020".
I wrote a SetCookie UDF (11/1/2019) which uses CFCookie and AttributeCollection to create a regular cookie (required to add to CF's "cookie" scope) and also a cookie response HTTP header to add the missing "samesite" support.
<cfset SetCookie(name="SAMESITECOOKIE", value="#Now()#", secure=true, httponly=true, samesite="lax")>
Regarding the IIS Rewrite rule, please be aware that the samesite rule will apply to every cookie and this may not be desirable in every instance. Be sure to test your application to ensure that it does what you want.