Mahara

Cookie “mahara” will be soon rejected because it has the “SameSite” attribute set to “None”

Bug #1943525 reported by Robert Lyon on 2021-09-14

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	Low	Robert Lyon	Mahara 22.04.0
20.10	Fix Released	Low	Unassigned	Mahara 20.10.5
21.04	Fix Released	Low	Unassigned	Mahara 21.04.4
21.10	Fix Released	Low	Unassigned	Mahara 21.10.2
22.04	Fix Released	Low	Robert Lyon	Mahara 22.04.0

Bug Description

Currently in Firefox on the console log it is warning about:
Cookie “mahara” will be soon rejected because it has the “SameSite” attribute set to “None”

This exists when viewing the site in http:// mode

It doesn't seem to be an issue in https:// mode as the cookie can have the secure option there

This can be fixed up by adding the SameSite cookie attribute to the session cookie / ctest cookie

Tags:

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2021-09-19:

Set to 'Low' importance because sites should be running with an SSL certificate these days.

Changed in mahara:
importance:	Undecided → Low
status:	New → Confirmed
tags:	added: code-cleanup

Revision history for this message

Doris Tam (doristam) wrote on 2021-09-21:

To test this bug:

Locally test this for 'http' mode.
1. Before applying the fix, open the developer console in the browser to see the 'SameSite' warning. This will appear on any page in Mahara.
2. After applying the patch, the console warning goes away.

Warning:
Cookie “mahara” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Changed in mahara:
assignee:	nobody → Robert Lyon (robertl-9)
status:	Confirmed → In Progress

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2021-10-14: A patch has been submitted for review

Patch for "main" branch: https://reviews.mahara.org/12134

Kristina Hoeppner (kris-hoeppner) on 2022-03-21

Changed in mahara:
milestone:	none → 22.04.0

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2022-04-06: A change has been merged

Reviewed: https://reviews.mahara.org/c/mahara/+/12134
Committed: https://git.mahara.org/mahara/mahara/commit/33f2b29b1c0331847489d7eacc720da7e21b58d8
Submitter: "Gold <email address hidden>"
Branch: main

commit 33f2b29b1c0331847489d7eacc720da7e21b58d8
Author: Robert Lyon <email address hidden>
Date: Sat Sep 11 15:49:00 2021 +1200

Bug 1943525: Setting the non https site cookies 'samesite' option

When we are using non-https site we need to define the samesite option
to be something other than 'none'
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

So will set this to be 'lax' the new default value

Change-Id: If4011fff680e18ed4ca7600164fb9b64f815b9df
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2022-04-12: A patch has been submitted for review

Patch for "21.10_DEV" branch: https://reviews.mahara.org/c/mahara/+/12567

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2022-04-12:

Patch for "21.04_DEV" branch: https://reviews.mahara.org/c/mahara/+/12597

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2022-04-12:

Patch for "20.10_DEV" branch: https://reviews.mahara.org/c/mahara/+/12568

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2022-04-13: A change has been merged

Reviewed: https://reviews.mahara.org/c/mahara/+/12567
Committed: https://git.mahara.org/mahara/mahara/commit/27550c7b78c8b11f642fc1becff8b287bd132b56
Submitter: "Robert Lyon <email address hidden>"
Branch: 21.10_DEV

commit 27550c7b78c8b11f642fc1becff8b287bd132b56
Author: Robert Lyon <email address hidden>
Date: Sat Sep 11 15:49:00 2021 +1200

Bug 1943525: Setting the non https site cookies 'samesite' option

When we are using non-https site we need to define the samesite option
to be something other than 'none'
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

So will set this to be 'lax' the new default value

Change-Id: If4011fff680e18ed4ca7600164fb9b64f815b9df
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 33f2b29b1c0331847489d7eacc720da7e21b58d8)

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2022-04-13:

#10

Reviewed: https://reviews.mahara.org/c/mahara/+/12597
Committed: https://git.mahara.org/mahara/mahara/commit/a76fb1342fe6fd79d5974537883b79eb7b03c24d
Submitter: "Robert Lyon <email address hidden>"
Branch: 21.04_DEV

commit a76fb1342fe6fd79d5974537883b79eb7b03c24d
Author: Robert Lyon <email address hidden>
Date: Sat Sep 11 15:49:00 2021 +1200

Bug 1943525: Setting the non https site cookies 'samesite' option

When we are using non-https site we need to define the samesite option
to be something other than 'none'
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

So will set this to be 'lax' the new default value

Change-Id: If4011fff680e18ed4ca7600164fb9b64f815b9df
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 33f2b29b1c0331847489d7eacc720da7e21b58d8)

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2022-04-13:

#11

Reviewed: https://reviews.mahara.org/c/mahara/+/12568
Committed: https://git.mahara.org/mahara/mahara/commit/f1d00aa502d2f8003407fc7f3d7e9da97519a772
Submitter: "Robert Lyon <email address hidden>"
Branch: 20.10_DEV

commit f1d00aa502d2f8003407fc7f3d7e9da97519a772
Author: Robert Lyon <email address hidden>
Date: Sat Sep 11 15:49:00 2021 +1200

Bug 1943525: Setting the non https site cookies 'samesite' option

When we are using non-https site we need to define the samesite option
to be something other than 'none'
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

So will set this to be 'lax' the new default value

Change-Id: If4011fff680e18ed4ca7600164fb9b64f815b9df
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 33f2b29b1c0331847489d7eacc720da7e21b58d8)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.