| Subject: | Firefox warns that cookies generated by Catalyst will be rejected in future |
Hello,
I'm using Catalyst::Plugin::Session::State::Cookie to have sessions within my pages. While developing I noticed that Firefox in its most recent version (78.0.2) is complaining in the console that my cookies are misusing the sameSite attribute:
Message in console:
Cookie “my_site_session” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
In catalyst I have following code to configure my site and the Cookie Plugin:
use Catalyst qw/
ConfigLoader
Static::Simple
Session
Session::Store::FastMmap
Session::State::Cookie
Authentication
Authorization::Roles
/;
If found that I can set the secure flag by adding to my config:
__PACKAGE__->config('Plugin::Session' => {
cookie_secure => 1,
});
This solves my immediate concern because now Firefox doesn't complain any more. But it doesn't feel like a fundamental good solution.
Looking through the code of the module I don't see the variable "SameSite" explicitly set. Hence I suppose Firefox detects it as having the value "None". I'm not familiar with the innards of Catalyst and I don't know if the cookie is handled somewhere else in Catalyst before sending. But I was wondering if this module should not set the "SameSite" variable in a Cookie by default to "Lax" as it is the expected default.
Kind regards