Project

General

Profile

Actions

Defect #35226

closed

Add SameSite=Lax to cookies to fix warnings in web browsers

Added by Go MAEDA almost 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Accounts / authentication
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Firefox 88.0.1 shows the following warning in Web Console.

Cookie “_redmine_session” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#fixing_common_warnings, we have two options to fix the warning:

1. Add Secure attribute to the cookie
2. Set SameSite attribute to the value other than "None"

However, if you set the Secure attribute, Redmine cannot be used in non-HTTPS environments such as test environments and some on-premise servers. Therefore, I think it is preferable to set the SameSite attribute to something other than "None".


Files

samesite-none-warning.png (108 KB) samesite-none-warning.png Go MAEDA, 2021-05-11 10:09
35226-v2.patch (1.5 KB) 35226-v2.patch Go MAEDA, 2021-05-13 08:28
Actions

Also available in: Atom PDF