Mantis - Resin
|Viewing Issue Advanced Details|
|ID:||Category:||Severity:||Reproducibility:||Date Submitted:||Last Update:|
|6140||feature||always||02-19-18 13:13||05-29-18 16:43|
|ETA:||none||Fixed in Version:||4.0.57|
|Summary:||0006140: Feature-Request: Possibility to add SameSite attribute to the Session Cookie?|
TL;DR: A resin configuration option to append "; SameSite=Lax|Strict" to the Session cookie.
With current 4.x Version of Caucho Resin it's already possible to improve the security of Resin powered Hosts / Web-Apps.
* The 'Secure' Cookie attribute is set when using <ssl-session-cookie>
* This <ssl-session-cookie> also *can* be used to set a Name prefix such as '__Host-' or '__Secure-' e.g.: <ssl-session-cookie>__Host-SSLJSESSIONID</ssl-session-cookie>
__Host- prefix: Cookies with a name starting with __Host- must be set with the secure flag, must be from a secure page (HTTPS), must not have a domain specified (and therefore aren't sent to subdomains) and the path must be "/".
An upcoming standard, SameSite cookies, creates more secure cookies that are sent only on requests that originate from the same site that issued them. They are designed to prevent Cross-Site Request Forgery (CSRF) or at least make it more difficult.
[Quoting hardenize.com a nifty tool to perform an overall check for your domain]
It would be great if the Session Cookie in Resin could be configured to have the SameSite attribute with either value "Lax" or "Strict" or not at all when not configured at all.
I would suggest a Resin configuration attribute at the same level as <cookie-http-only> with two possible values:
<cookie-same-site>Lax</cookie-same-site> => resulting in appending "; SameSite=Lax" to the Session Cookie
<cookie-same-site>Strict</cookie-same-site> => resulting in appending "; SameSite=Strict" to the Session Cookie
|Steps To Reproduce:|
- Reasons to adopt it:
which is an update to RFC626 (HTTP State Management Mechanism / https://tools.ietf.org/html/rfc6265) [^] if approved
- Mozilla Developer Network:
- Browser support for SameSite cookies (which is at almost 60 percent globally).