Set SameSite policy on cookies

Description

Changes introduced in Chrome 80 enforce the SameSite policy of cookies.

This means that by default, the SameSite policy is set to "Lax" - which in turn means that POSTed requests from an external URL will have no access to the cookies, and thus the user's session.

This is especially critical as some responses from Payment gateways are returned to the site via a POST request.

The solution is to append ";SameSite=None" to cookies being set (note that this should only be done for secure connections/cookies, as otherwise the whole cookie will be ignored).

"None" is the default policy set by Preside. But if for specific applications you want to lock this down more, you can set this policy in your Application.cfc:

Valid options are "None", "Lax" or "Strict".

Environment

None

Assignee

Seb Duggan

Reporter

Seb Duggan

Labels

None

Accepted

Yes

Fix versions

Affects versions

Priority

Highest
Configure