Skip Menu |

This queue is for tickets about the Catalyst-Plugin-Session-State-Cookie CPAN distribution.

Report information
The Basics
Id: 133009
Status: open
Priority: 0/
Queue: Catalyst-Plugin-Session-State-Cookie

People
Owner: Nobody in particular
Requestors: postmaster [...] martellphotos.be
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: 0.17
Fixed in: (no value)



Subject: Firefox warns that cookies generated by Catalyst will be rejected in future
Hello, I'm using Catalyst::Plugin::Session::State::Cookie to have sessions within my pages. While developing I noticed that Firefox in its most recent version (78.0.2) is complaining in the console that my cookies are misusing the sameSite attribute: Message in console: Cookie “my_site_session” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite In catalyst I have following code to configure my site and the Cookie Plugin: use Catalyst qw/ ConfigLoader Static::Simple Session Session::Store::FastMmap Session::State::Cookie Authentication Authorization::Roles /; If found that I can set the secure flag by adding to my config: __PACKAGE__->config('Plugin::Session' => { cookie_secure => 1, }); This solves my immediate concern because now Firefox doesn't complain any more. But it doesn't feel like a fundamental good solution. Looking through the code of the module I don't see the variable "SameSite" explicitly set. Hence I suppose Firefox detects it as having the value "None". I'm not familiar with the innards of Catalyst and I don't know if the cookie is handled somewhere else in Catalyst before sending. But I was wondering if this module should not set the "SameSite" variable in a Cookie by default to "Lax" as it is the expected default. Kind regards
I can confirm that in version 0.18 the issue is solved. Small note however, it is not enough to have Catalyst::Runtime 5.90125, but you need as well to check the version of CGI::Simple. With CGI::Simple 1.25 the problem is solved. Thank you very much for this quick resolution. Kind regards