Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Firefox warns that cookies generated by Catalyst will be rejected in future

by martell (Hermit)
on Jul 04, 2020 at 14:32 UTC ( #11118915=perlquestion: print w/replies, xml ) Need Help??

martell has asked for the wisdom of the Perl Monks concerning the following question:

Dear Monks,

I'm using Catalyst::Plugin::Session::State::Cookie to have sessions within my pages. While developing I noticed that Firefox in its most recent version is complaining in the console that my cookies are misusing the sameSite attribute:

Cookie “my_site_session” will be soon rejected because it has the “sam +eSite” attribute set to “none” or an invalid value, without the “secu +re” attribute. To know more about the “sameSite“ attribute, read http +s://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite p +hotos

In catalyst I have following code to configure my site and the Cookie Plugin:

use Catalyst qw/ ConfigLoader Static::Simple Session Session::Store::FastMmap Session::State::Cookie Authentication Authorization::Roles /;

If found that I can set the secure flag by adding to my config:

__PACKAGE__->config('Plugin::Session' => { cookie_secure => 1, });

This solves my immediate concern because now Firefox doesn't complain any more. (In reality I use the value "2" because on my development machine I don't use https .). But it doesn't feel like a fundamental good solution.

Looking through the code of the module I don't see the variable "SameSite" explicitly set. Hence I suppose Firefox detects it as having the value "None". I'm not familiar with the innards of Catalyst and I don't know if the cookie is handled somewhere else in Catalyst before sending. But I was wondering if this module should not set the "SameSite" variable in a Cookie by default to "Lax" as it is the expected default.

Any thoughts, insights on this observation before I report it as a bug on the module?

Kind regards

Replies are listed 'Best First'.
Re: Firefox warns that cookies generated by Catalyst will be rejected in future
by Your Mother (Bishop) on Jul 05, 2020 at 00:58 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://11118915]
Approved by hippo
Front-paged by haukex
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (5)
As of 2020-08-13 09:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Which rocket would you take to Mars?










    Results (70 votes). Check out past polls.

    Notices?