tracker issue : CF-4201688

SameSite cookies are a new browser feature to help developers mitigate CSRF, they should be supported by CF in the CFCookie tag, and there should be settings for the session variables, eg in Application.cfc you should be able to do this: this.sessioncookie.samesite="lax/strict"; There should also be a CF Administrator setting to do the same. The CFCookie tag should support the samesite attribute, eg: <cfcookie samesite="lax"> or <cfcookie samesite="strict"> Info: https://www.owasp.org/index.php/SameSite Spec: https://tools.ietf.org/html/draft-west-first-party-cookies-07 Browser Support: https://caniuse.com/#search=samesite

Comment by Peter F.

Important feature to help mitigate CSRF

Vote by Peter F.

This should be added to help us protect the visitors of our sites.

Vote by Miguel F.

+1 ...........

Vote by Aaron N.

FYI Tomcat 8.5.42 http://tomcat.apache.org/tomcat-8.5-doc/changelog.html and Tomcat 9.0.21 http://tomcat.apache.org/tomcat-9.0-doc/changelog.html have added support for same-site cookies, so it should be possible to implement this feature once you update Tomcat!

Comment by Peter F.

Hopefully "samesite", which is supported by 86.57% of browsers, will be implemented in ColdFusion 2016 before end-of-core on 2/17/2021. I was hoping that it would have been included in today's CF2016 patch 11, but didn't realize that Tomcat was the dependency that was holding everything up. (Tomcat added "samesite" support on June 4, 2019.)

Comment by James M.

Definitely an important feature. Please add!

Vote by Mosh T.

Please add this functionality

Vote by Ben F.

Definitely a must-do. It helps fight against Cross-Site Request Forgery.

Vote by A. B.

Could it be that ColdFusion 2018 implicitly supports samesite cookies? After all, ColdFusion 2018 runs on Tomcat 9.0.21, and this version of Tomcat has support for samesite cookies. See https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html You would then think of something resembling the following in {CF_INSTANCE_DIR}/runtime/conf/context.xml <Context> <CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="strict" /> </Context>

Comment by A. B.

"SameSite" will be more important very soon as Google Chrome will reject 3rdparty cookies if not configured properly. (ie, this will become a real "modernize or die" issue.) I tried responding, but I only saw an icon flash when I attempted to submit my response, so I posted it as a blog post. (This happened recently on the Adobe Community Forums too.) As a workaround, we're using a UDF to generate a "samesite" cookie. https://gamesover2600.tumblr.com/post/188744661844/coldfusion-setcookie-udf-supports-samesite

Comment by James M.

Please add this functionality.

Vote by Moshe R.

Google Chrome 80 Stable is scheduled to be released on Feb 4, 2020. https://www.chromestatus.com/features/schedule https://www.chromestatus.com/feature/5088147346030592 https://www.chromestatus.com/feature/5633521622188032 Can Adobe provide some sort of official response regarding their support for ColdFusion 2016 & 2018? This bug report currently indicates that it will be fixed in "Alpha" and has a "normal" priority.

Comment by James M.

Deadline with Chrome 80 is looming now - roll this out so any fixes have time to be implemented

Vote by Steve L.

We are currently adding samesite support and the same would be included as part of the next update.

Comment by Edwin S.

Edwin, can you please clarify if "next update" means the next update to cf2018 (and. 2016)? Or mght you mean only cf2020?

Comment by Charlie A.

Hi Charlie, we will be adding it for CF2020, CF2018 and CF2016 as well. 

Comment by Edwin S.

Thanks, Edwin. But will the support for cf2018 and 2016 be released in an update, before cf2020 is released, especially if cf2020 may not be released for some months? Again, we're less than a month from the change in chrome that could affect many, some quite detrimentally.

Comment by Charlie A.

Chrome's "samesite" browser update is in 20 days. Will the "next update" be released before or after all Adobe ColdFusion platforms that use a back-end ColdFusion API with different hostname are negatively impacted? Here's an article regarding it that was published 1/16/2020: https://webmasters.googleblog.com/2020/01/get-ready-for-new-samesitenone-secure.html Official instructions & examples for various platforms are listed here. Adobe ColdFusion is not listed. https://github.com/GoogleChromeLabs/samesite-examples I plan on recommended my UDF as a samte-site ColdFusion example unless anyone has a better workaround. https://gamesover2600.tumblr.com/post/188744661844/coldfusion-setcookie-udf-supports-samesite

Comment by James M.

Another option, should Adobe's update not be released in time, is to use some sort of HTTP request post processor to add the flag. For example, with IIS's URL ReWrite tool, you could use the following outbound rule: <rule name="Add SameSite Cookies Flag"> <match serverVariable="RESPONSE_Set-Cookie" pattern="^(.*)(=.*)$" /> <action type="Rewrite" value="{R:0}; SameSite=lax" /> </rule> Just note that this rule would apply to EVERY cookie that is set unless you were to modify the pattern to exclude some of them, etc.

Comment by Mosh T.

so whats the deal with this? i'm kinda worried about charlie saying 'we're less than a month from the change in chrome that could affect many, some quite detrimentally' and theres no response from adobe! this issue has been open since 2018 are there any articles on how best to deal with this change in coldfusion?

Comment by luke m.

The silence is deafening...

Comment by Sid W.

https://blog.chromium.org/2019/10/developers-get-ready-for-new.html With Chrome 80 in February, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies with the SameSite=None; Secure setting will be available for external access, provided they are being accessed from secure connections. The Chrome Platform Status trackers for SameSite=None and Secure will continue to be updated with the latest launch information.

Comment by John W.

Just more info on it - we'd really like to see this implemented: https://web.dev/samesite-cookies-explained/ https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/

Comment by Matthew C.

Here's status updates that I received on 2/24/2020: - Failure Type updated from 'Others' to an empty value. - Version updated to '13.0' What does this mean? I don't see this info reflected in any details above. Will this be released in Feb 2020? Will this be released for ColdFusion 2016?

Comment by James M.

This has been fixed and will be made available in the next bug-fix update cycle, due in Q2 2020.

Comment by Vamseekrishna N.

Chrome is starting to require the samesite attribute

Vote by Rafael S.

This is now an issue as Chrome blocks all cookies that require this attribute that are not on the same site. Which means that cookies are unusable in Chrome - we need a fix now! Is there a hot fix?

Comment by Toby W.

Hi All,   We have attached the patch for both CF2016 as well as CF2018 Request everyone to apply the patch and check if it covers all the scenarios.   The steps to apply the patch is shared in the zip file itself. Details are written in the file named Readme.txt How to use it in your code is also shared in the Readme.txt file present inside the zip   Thanks, Kailash

Comment by Kailash B.

The instructions in the CF2016.zip attachment are incorrect. I downloaded the instructions for CF2018 to contrast and compare in order to determine what to do. (CF2016 instructions indicate to backup 3 files and to only copy over 2 files.) Could you please update this?

Comment by James M.

Hi James,   Thanks for pointing it out. I have modified the Readme.txt. The files are still unchanged, just the description in Readme.txt has changed.   Thanks, Kailash

Comment by Kailash B.

This 3/24/2020 patch introduces a new bug. This throws an "The tag handler cookie does not have a setter for the attribute samesite specified in the Tag Library Descriptor." error. (This leads me to believe that the functionality wasn't fully tested in any production application before making the patch available.) <cfset CookieSettings = {name="test", value="#Now()#"}> <cfcookie attributecollection="#CookieSettings#">

Comment by James M.

False alarm... after further debugging, it appears that the update was not performed correctly. The "hf201600-4201688.Jar" file wasn't copied to the {INSTANCE_NAME}/lib/updates/ folder. (Interestingly enough, the simple absence of the "samesite" cookie was the only thing that triggered the error.)

Comment by James M.

Has anyone this bug fix to work? I am running CF2018 Enterprise ver. 2018.0.08.318307 on Websphere 9 and OS: RedHat Enterprise Linux 7.2. We applied hf201600-4201688 as the instructions stated; however, I noticed "Catalina.jar" file does not exists in any directory as I believe that is used on Tomcat. It doesn't appear that the samesite attribute of cfcookie works. Example: <cfcookie name="TEST" value="abc123" samesite="None"> Cookie Result: NAME: AMWEBJCT!%2Fjrtlappsdev!TEST VALUE: abc123 SAMESITE is empty Thanks.

Comment by Gerald D.

Hi Gerald, We are adding header from our side. If it is not being honoured, then Websphere might be processing the Set-Cookie headers to remove unexpected attributes. So they need to support as well Few application servers(including Tomcat) do not support samesite attribute on an individual cookie level. They have it as a server wide attribute. So even if we set the cookie on CF side, it could be overwritten by server level samesite value on the app server. 

Comment by Edwin S.