Add SameSite=Lax to cookies to fix warnings in web browsers
|Assignee:||Go MAEDA||% Done:|
|Category:||Accounts / authentication|
Firefox 88.0.1 shows the following warning in Web Console.
Cookie “_redmine_session” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#fixing_common_warnings, we have two options to fix the warning:
Secure attribute to the cookie
SameSite attribute to the value other than "None"
However, if you set the Secure attribute, Redmine cannot be used in non-HTTPS environments such as test environments and some on-premise servers. Therefore, I think it is preferable to set the SameSite attribute to something other than "None".
Add SameSite=Lax to cookies to fix warnings in web browsers (#35226).
Patch by Go MAEDA.
The following patch fixes the issue.
The patch must be safe because Redmine's cookie is already treated as SameSite=Lax in Chrome.
Redmine does not explicitly set the SameSite attribute in the Set-Cookie field. So, it is treated as SameSite=Lax in Chrome 80 and later.
diff --git a/config/application.rb b/config/application.rb index dc8d5f89d..fc6e6a33f 100644 --- a/config/application.rb +++ b/config/application.rb @@ -79,7 +79,8 @@ module RedmineApp config.session_store( :cookie_store, :key => '_redmine_session', - :path => config.relative_url_root || '/' + :path => config.relative_url_root || '/', + :same_site => :lax ) if File.exists?(File.join(File.dirname(__FILE__), 'additional_environment.rb'))