I attempted to post the following response regarding a ColdFusion bug that I reported back in March 2018, but Adobe's CFTracker web application wasn't working and refused to accept my post for an undisclosed reason.
CFCookie "samesite" support
https://tracker.adobe.com/#/view/CF-4201688
A third-party site's API recently triggered the following warning message in Chrome 78:
A cookie associated with a cross-site resource at http://jetio.streamguys.com/ was set without the
SameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=None
andSecure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032I reported it to them and they fixed it within 2-3 days on their PHP platform.
As a workaround for CF2016 (and CF10 & 11), I'm using this modified UDF to set a CFCookie & a fallback "set-cookie" CFHeader. It's duplicates the response headers, but if CFCookie isn't used, the value isn't added to the COOKIE scope. (The 2nd set-cookie header automatically overwrites the first one set by CF.)
Source Code
1/17/2020 Update
Adobe has indicated that this will be fixed in CF2016+, but it's 20 days away and nothing has been made available yes. On 1/16/2020, Google published Get Ready for New SameSite=None; Secure Cookie and listed other platforms that had same-site examples.
3/24/2020 Update
Adobe has posted manual patches for CF2016 & CF2018 on the bug report. (If using CF2016, download the CF2018 attachment as the instructions for CF2016 are incorrect.)
If you are still using ColdFusion 10 or 11, you can use this UDF or Pete Freitag's solution for IIS or Apache.
Top comments (1)
James, for CF-4201688 did you actually get it to work? I am running CF2018 Enterprise ver. 2018.0.08.318307 on Websphere 9 and OS: RedHat Enterprise Linux 7.2. We applied hf201600-4201688 as the instructions stated; however, I noticed "Catalina.jar" file does not exists in any directory as I believe that is used on Tomcat. It doesn't appear that the samesite attribute of cfcookie works. I don't receive an error for that samesite attribute like I did before applying the fix but it doesn't appear to pass the value.
Example: cfcookie name="TEST" value="abc123" samesite="None"
Cookie Result:
NAME: "AMWEBJCT!%2Fjrtlappsdev!TEST"
VALUE: "abc123"
SAMESITE: is empty
Thanks.