Skip to main content

Insecure cookies without SameSite attribute set

dirklammert
Chrome 80 will deprecate and remove the use of cookies with the SameSite=None attribute but without the Secure attribute. Any cookie that requests SameSite=None but is not marked Secure will be rejected (Reject insecure SameSite=None cookies - Chrome Platform Status). In the browser console the following warning is thrown: [QUOTE]A cookie associated with a cross-site resource at was set without the SameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None
and Secure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at and .
cPanel sets multiple cookies:
  • cpsession (secure cookie without the SameSite attribute)
  • timezone (unsecure cookie without the SameSite attribute)
  • whostmgrsession (secure cookie without the SameSite attribute)
I kindly request all cookies to be set Secure and with the SameSite attribute (probably Lax, maybe Strict). Thank you

Comments

5 comments

Date Votes
  • cPanelLauren
    Hello, For the suggestion, the best place to add this would be the feature request site at
    0
  • dirklammert
    Thank you for your reply but it is not an answer to this bug report. I recommend your development team to read Developers: Get Ready for New SameSite=None; Secure Cookie Settings and prepare for the Chrome update of February 2020. Thanks again
    0
  • cPanelLauren
    Hello, We do appreciate the suggestion but this wouldn't be considered a bug. A bug is something that doesn't function as intended. This is an addition to the product you're requesting and it would be considered a feature request and that should be requested in the proper place to receive the attention it deserves. Thank you.
    0
  • Cloud9
    @cPanelLauren To implement set cookies to strict and http secure would this be the line I need to add to apache pre main include config apache 2.2.4 Header always set Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
    0
  • cPanelLauren
    Hello @Cloud9 I do believe that would work but I am more concerned with why you're using Apache 2.2 at all?
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post