-
Type:
Spike
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: Application Security
-
Labels:
In Firefox (tested on v78.0.2) We are starting to see warnings like the following for the first request (or after clearing cookies) to portal.
Cookie "JSESSIONID" will be soon rejected because it has the "sameSite" attribute set to "none" or an invalid value, without the "secure" attribute.
This is when the HTTP response set the cookie like...
Set-Cookie: JSESSIONID=01542E079EA0DCC40EAF25A1F90A9607; Path=/; HttpOnly
It looks like the browser is considering the absence of the SameSite attribute to be "invalid". Whereas we were expecting it to be considered as "LAX".
This appears to be the behavior in Chrome (See LPS-107423 , and now re-tested on Chrome v84.0.4147.105 ).
The warning is concerning because it says the cookie will soon be rejected. Which presumably means the browser will not even persist it. If true, this will have huge impact on the portal.
- is demanded by
-
LPS-115539 Cookie "ab_test_variant_id" will be soon be rejected
- Closed
- is related to
-
LPS-108070 Handle new SameSite=Lax default in cookies in SAML
-
- Closed
-
- relates
-
LPS-133584 SameSite policy control for default Liferay cookies
-
- Pending Further Research
-