March 18, 2020
Addressing SameSite cookie issues, before Adobe offers an update that does
March 18, 2020
Addressing SameSite cookie issues, before Adobe offers an update that does
ColdFusion troubleshooter
Legend 66 posts
Followers: 57 people

The update from Adobe yesterday (Mar 17, 2020) did not include a fix regarding the long-anticipated “samesite cookie” problem. In this post, I will share info on what you can do in the meantime, until Adobe DOES address the problem. (The info will also help any who happen to be running on CF11 or earlier, which are no longer updated by Adobe.)

Wasn’t Adobe due to fix this in “the next update”?

Before explaining the issue briefly, and the fix you can consider for now, let me note that it’s something that Chrome announced in May 2019 would be implemented in its version 80, which did come out recently, making the matter all the more pressing. And many in the CF community have been asking Adobe to address this for as long. And Adobe had said there that a fix would be coming in “q2 2020”, while in still other  places the implication was that it would be coming in “the next update”.

So when the CF update was released yesterday, implementing an important security fix (regarding a vulnerability in the Tomcat web server/AJP connector), many had been expecting it would add the samesite cookie fix.  It did not.

So again, I am writing here to point you to resources that explain the problem and a fix.

What is the SameSite Cookie issue?

Fortunately, a lot has been written about the issue, as has been observed by those who knew the problem was coming. If you simply google the term now, you will find ample resources to explain what it’s about. Here are some:

But bottom line, it has to do with when your site may send users pages that involve communication with other sites (or other applications within your own CF site), and where the cookies set by those other sites/apps don’t honor this “same site” cookie setting that Chrome now requires. And so Chrome (and soon other browsers) see this as a problem, and so your app may fail or have errors or just function improperly.

Eventually, Adobe will come out with a fix for CF so that it (CF, at least) DOES set those samesite cookie settings, either with some better default or with the option for you to control the settings.

What can you do, until Adobe does fix the SameSite Cookie issue?

Until a CF update DOES address the problem, you are not “stuck”. You can instead leverage the fact that your web server (IIS or Apache, typically used with CF) both offer a “rewrite” feature, and while normally folks think of that for controlling/changing incoming requests, such rewrite features can ALSO be used to control handling of incoming/request AND outgoing/response HEADERS. And cookies are in fact set as response headers.

And thankfully, our own CF security guru (and all-around great guy) Pete Freitag blogged about all this some months ago. Indeed, first in 2018! And he shows in his two blog posts how to handle this in IIS and Apache, respectively:

Again, this info will also help those on CF11 or older CF versions (or other older CFML engines, or indeed non-CFML app servers) that may also not have implemented samesite cookie support.

There’s also a user defined function that James Moberg has offered.

Hope that’s helpful. I have helped or seen discussions from many people who did not seem to know of these alternativess, or perhaps even of this issue (though it’s getting harder to ignore as more people move to Chrome 80), so I felt it was worth pointing out specially here.

1 Comment
2020-03-24 22:02:55
2020-03-24 22:02:55

Adobe posted a short-term fix available for CF2018 and CF2016, as discussed in comments of the bug report that I’d linked to above, See the ones dated from today (Mar 24, 2020), and forward.

We can hope that based on feedback, they will roll these changes into a later official CF update.

Add Comment