Defect #35226

Add SameSite=Lax to cookies to fix warnings in web browsers

Added by Go MAEDA 5 months ago. Updated 3 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:Accounts / authentication
Target version:4.1.4
Resolution:Fixed Affected version:

Description

Firefox 88.0.1 shows the following warning in Web Console.

Cookie “_redmine_session” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#fixing_common_warnings, we have two options to fix the warning:

1. Add Secure attribute to the cookie
2. Set SameSite attribute to the value other than "None"

However, if you set the Secure attribute, Redmine cannot be used in non-HTTPS environments such as test environments and some on-premise servers. Therefore, I think it is preferable to set the SameSite attribute to something other than "None".

samesite-none-warning.png (108 KB) Go MAEDA, 2021-05-11 10:09

35226-v2.patch Magnifier (1.5 KB) Go MAEDA, 2021-05-13 08:28

Associated revisions

Revision 21009
Added by Go MAEDA 4 months ago

Add SameSite=Lax to cookies to fix warnings in web browsers (#35226).

Patch by Go MAEDA.

Revision 21037
Added by Go MAEDA 3 months ago

Merged r21009 from trunk to 4.2-stable (#35226).

Revision 21038
Added by Go MAEDA 3 months ago

Merged r21009 from trunk to 4.1-stable (#35226).

History

#1 Updated by Go MAEDA 5 months ago

The following patch fixes the issue.

The patch must be safe because Redmine's cookie is already treated as SameSite=Lax in Chrome.

Redmine does not explicitly set the SameSite attribute in the Set-Cookie field. So, it is treated as SameSite=Lax in Chrome 80 and later.
https://blog.chromium.org/2020/02/samesite-cookie-changes-in-february.html

diff --git a/config/application.rb b/config/application.rb
index dc8d5f89d..fc6e6a33f 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -79,7 +79,8 @@ module RedmineApp
     config.session_store(
       :cookie_store,
       :key => '_redmine_session',
-      :path => config.relative_url_root || '/'
+      :path => config.relative_url_root || '/',
+      :same_site => :lax
     )

     if File.exists?(File.join(File.dirname(__FILE__), 'additional_environment.rb'))

#2 Updated by Liane Hampe 5 months ago

I can confirm that it is working in Firefox 88.0.1 when running Redmine 4.2 in production!

#3 Updated by Go MAEDA 5 months ago

  • Subject changed from Warning about cookies with SameSite=none to Warning due to cookies not having SameSite attribute set
  • Category set to Accounts / authentication
  • Target version set to 4.1.4

Setting the target version to 4.1.4.

#4 Updated by Go MAEDA 5 months ago

Updated the patch. Another two cookies "autologin" and "history_last_tab" also needs to have "SameSite=Lax".

#5 Updated by Go MAEDA 4 months ago

  • Subject changed from Warning due to cookies not having SameSite attribute set to Add SameSite=Lax to cookies to fix warnings in web browsers
  • Status changed from New to Resolved
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the patch.

#6 Updated by Go MAEDA 3 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF