Dear Monks,
I'm using Catalyst::Plugin::Session::State::Cookie to have sessions within my pages. While developing I noticed that Firefox in its most recent version is complaining in the console that my cookies are misusing the sameSite attribute:
Cookie “my_site_session” will be soon rejected because it has the “sam +eSite” attribute set to “none” or an invalid value, without the “secu +re” attribute. To know more about the “sameSite“ attribute, read http +s://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite p +hotos
In catalyst I have following code to configure my site and the Cookie Plugin:
use Catalyst qw/ ConfigLoader Static::Simple Session Session::Store::FastMmap Session::State::Cookie Authentication Authorization::Roles /;
If found that I can set the secure flag by adding to my config:
__PACKAGE__->config('Plugin::Session' => { cookie_secure => 1, });
This solves my immediate concern because now Firefox doesn't complain any more. (In reality I use the value "2" because on my development machine I don't use https .). But it doesn't feel like a fundamental good solution.
Looking through the code of the module I don't see the variable "SameSite" explicitly set. Hence I suppose Firefox detects it as having the value "None". I'm not familiar with the innards of Catalyst and I don't know if the cookie is handled somewhere else in Catalyst before sending. But I was wondering if this module should not set the "SameSite" variable in a Cookie by default to "Lax" as it is the expected default.
Any thoughts, insights on this observation before I report it as a bug on the module?
Kind regards
Update: I can confirm that in version 0.18 the issue is solved. Small note however, it is not enough to have Catalyst::Runtime 5.90125, but you need as well to check the version of CGI::Simple. With CGI::Simple 1.25 the problem is solved. Thank you very much for this quick resolution. Kind regards| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |