Dear Monks,

I'm using Catalyst::Plugin::Session::State::Cookie to have sessions within my pages. While developing I noticed that Firefox in its most recent version is complaining in the console that my cookies are misusing the sameSite attribute:

Cookie “my_site_session” will be soon rejected because it has the “sam
+eSite” attribute set to “none” or an invalid value, without the “secu
+re” attribute. To know more about the “sameSite“ attribute, read http
+s://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite p
+hotos
[download]

In catalyst I have following code to configure my site and the Cookie Plugin:

use Catalyst qw/
    ConfigLoader
    Static::Simple
    Session
    Session::Store::FastMmap
    Session::State::Cookie
    Authentication
    Authorization::Roles
/;
[download]

If found that I can set the secure flag by adding to my config:

__PACKAGE__->config('Plugin::Session' => {
   cookie_secure  => 1,
});
[download]

This solves my immediate concern because now Firefox doesn't complain any more. (In reality I use the value "2" because on my development machine I don't use https .). But it doesn't feel like a fundamental good solution.

Looking through the code of the module I don't see the variable "SameSite" explicitly set. Hence I suppose Firefox detects it as having the value "None". I'm not familiar with the innards of Catalyst and I don't know if the cookie is handled somewhere else in Catalyst before sending. But I was wondering if this module should not set the "SameSite" variable in a Cookie by default to "Lax" as it is the expected default.

Any thoughts, insights on this observation before I report it as a bug on the module?

Kind regards

Update: I can confirm that in version 0.18 the issue is solved. Small note however, it is not enough to have Catalyst::Runtime 5.90125, but you need as well to check the version of CGI::Simple. With CGI::Simple 1.25 the problem is solved. Thank you very much for this quick resolution. Kind regards