Mantis Bugtracker

Viewing Issue Advanced Details Jump to Notes ] View Simple ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0006167 [Resin] minor always 06-23-18 19:15 07-12-18 14:22
Reporter ferg View Status public  
Assigned To ferg
Priority normal Resolution fixed Platform
Status closed   OS
Projection none   OS Version
ETA none Fixed in Version 4.0.58 Product Version
  Product Build
Summary 0006167: cookie-same-site
Description (rep by Steffan Busch)

But just adding the <cookie-same-site> was not working for our existing ssl-session-cookie:

             - For security, set the HttpOnly flag in cookies.
+ <cookie-same-site>Strict</cookie-same-site>

After looking into the Source of I've seen that the Same-Site logic is in a "if (version > 0) {" block.
So I have added this:

+ <cookie-version>1</cookie-version>

which will cause that now there are two Cookie Headers in the Response:

Set-Cookie: __Host-SSLJSESSIONID=aaa-ZjfzyD5KS98U2iNqw; Path=/; Secure; Version=1; SameSite=Strict; HttpOnly
Set-Cookie2: __Host-SSLJSESSIONID="aaa-ZjfzyD5KS98U2iNqw"; Path="/"; Secure; Version=1; SameSite=Strict; HttpOnly

Wouldn't it be possible to have the Same-Site Cookie configuration without the obsolete[1] Set-Cookie2 feature?

Steps To Reproduce
Additional Information
Attached Files

- Relationships

- Notes
07-12-18 14:22


- Issue History
Date Modified Username Field Change
06-23-18 19:15 ferg New Issue
06-24-18 04:00 stbu Issue Monitored: stbu
07-12-18 14:22 ferg Note Added: 0006840
07-12-18 14:22 ferg Assigned To  => ferg
07-12-18 14:22 ferg Status new => closed
07-12-18 14:22 ferg Resolution open => fixed
07-12-18 14:22 ferg Fixed in Version  => 4.0.58

Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
30 total queries executed.
26 unique queries executed.
Powered by Mantis Bugtracker