Chrome 80 and SameSite cookie policy enforcement

  • 17 Mar 2020
  • Seb Duggan

Recently, we noticed some odd behaviour when users were returning from external payment gateways. The response was being recorded, but then the order was not completing - which we tracked down to the user being been logged out of the website (despite only being away for a matter of seconds).

After a lot of investigation, we discovered that this was due to changes introduced in Chrome 80 (the common factor among all the failures) with the cross-site handling of cookies. Everything works fine until you POST to the Preside site from an external site - at which point the incoming request will have no cookies associated with it, and so Preside will create a new user session.

The issue is with the SameSite policy set on a cookie. By default this is not set, and Chrome (as of version 80) interprets this as a value of "Lax". Lax is generally an acceptable default, but it does not allow cookies with POSTed requests.

The solution is to add SameSite=None to cookies when they are set set, and Preside now does this by default. (Note that this will only be added for secure connections/cookies, as otherwise the whole cookie gets ignored).

If for specific applications you need to lock this down more, you can set the policy in your Application.cfc:

super.setupApplication(
      id = "myWebsite"
    , cookieSameSitePolicy = "Lax"
);

Valid options are None, Lax or Strict. Check out the further reading section below for more information on what each of these does. If your site does not receive any incoming POST requests, you may be able to use Lax - or even Strict - so long as you understand the potential consequences.

Note that although this is currently only enforced in Chrome, both Firefox and Microsoft Edge are due to follow suit in the near future.

Further reading:

This post is tagged:

Author

Seb Duggan

Lead Developer at Pixl8