tracker issue : CF-4202424

select a category, or use search below
(searches all categories and all time range)
Title:

Add SameSite Cookie Support to ColdFusion

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/Duplicate

Reporter/Name(from Bugbase): Peter Freitag / ()

Created: 05/14/2018

Components: Language, Tags

Versions: 2016

Failure Type: Others

Found In Build/Fixed In Build: /

Priority/Frequency: Normal /

Locale/System: / Platforms All

Vote Count: 3

SameSite cookies are a new browser feature to help developers mitigate CSRF, they should be supported by CF in the CFCookie tag, and there should be settings for the session variables, eg in Application.cfc you should be able to do this:

this.sessioncookie.samesite="lax/strict";

There should also be a CF Administrator setting to do the same.

The CFCookie tag should support the samesite attribute, eg:

<cfcookie samesite="lax">

or 

<cfcookie samesite="strict">

Info: 
https://www.owasp.org/index.php/SameSite

Spec: https://tools.ietf.org/html/draft-west-first-party-cookies-07

Browser Support: https://caniuse.com/#search=samesite

Attachments:

Comments:

This is a dupe of CF-4201688
Comment by Vamseekrishna N.
27792 | May 14, 2018 02:10:37 PM GMT
Oops I did search before submitting this but I searched in the "Issue Key" field... sorry.
Comment by Peter F.
27793 | May 14, 2018 02:17:05 PM GMT