Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-118566

Research latest developments in SameSite cookie browsers default behavior

    Details

    • Type: Spike
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Application Security
    • Labels:

      Description

      In Firefox (tested on v78.0.2) We are starting to see warnings like the following for the first request (or after clearing cookies) to portal. 

      Cookie "JSESSIONID" will be soon rejected because it has the "sameSite" attribute set to "none" or an invalid value, without the "secure" attribute.

       This is when the HTTP response set the cookie like...

      Set-Cookie: JSESSIONID=01542E079EA0DCC40EAF25A1F90A9607; Path=/; HttpOnly

       

      It looks like the browser is considering the absence of the SameSite attribute to be "invalid". Whereas we were expecting it to be considered as "LAX".

      This appears to be the behavior in Chrome (See LPS-107423 , and now re-tested on Chrome v84.0.4147.105 ).

      The warning is concerning because it says the cookie will soon be rejected. Which presumably means the browser will not even persist it. If true, this will have huge impact on the portal.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              support-lep@liferay.com SE Support
              Reporter:
              stian.sigvartsen Stian Sigvartsen
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:

                  Packages

                  Version Package