Status/Resolution/Reason: Closed/Withdrawn/Duplicate
Reporter/Name(from Bugbase): Peter Freitag / ()
Created: 05/14/2018
Versions: 2016
Failure Type: Others
Found In Build/Fixed In Build: /
Priority/Frequency: Normal /
Locale/System: / Platforms All
Vote Count: 3
SameSite cookies are a new browser feature to help developers mitigate CSRF, they should be supported by CF in the CFCookie tag, and there should be settings for the session variables, eg in Application.cfc you should be able to do this:
this.sessioncookie.samesite="lax/strict";
There should also be a CF Administrator setting to do the same.
The CFCookie tag should support the samesite attribute, eg:
<cfcookie samesite="lax">
or
<cfcookie samesite="strict">
Info:
https://www.owasp.org/index.php/SameSite
Spec: https://tools.ietf.org/html/draft-west-first-party-cookies-07
Browser Support: https://caniuse.com/#search=samesite
Attachments:
Comments: