Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Partitioned attribute in sticky cookies #10428

Open
khujo opened this issue Sep 20, 2023 · 12 comments · May be fixed by #11242
Open

Support Partitioned attribute in sticky cookies #10428

khujo opened this issue Sep 20, 2023 · 12 comments · May be fixed by #11242
Assignees
@longwuyuan
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@khujo
Copy link

khujo commented Sep 20, 2023

All major browser vendors have or will limit the use of third party cookies in their browsers in the near future. ingress-nginx uses cookies to support sticky sessions. This will become an issue in certain scenarios when ingres-nginx serves an endpoint that is a third party to a web application.

To prevent the use of third party cookies for tracking and still enable use cases like this, there is a W3C proposal that enables partitioning cookie data using the first party URL as additional key. (https://github.com/privacycg/CHIPS)

Chrome and Firefox will support CHIPS, while Safari is still undecided.

ingress-nginx should also support CHIPS by adding an attribute like nginx.ingress.kubernetes.io/session-cookie-partitioned so that users can opt-in to use partitioned cookie state.
@khujo khujo added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 20, 2023
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority labels Sep 20, 2023
@rikatz
Copy link
Contributor

rikatz commented Oct 15, 2023

Can you evolve a bit more on the proposal? How would this annotation look like? What is the impact on users that enable it, for browsers that doesn't support it like Safari?

Thanks

@khujo
Copy link
Author

khujo commented Oct 25, 2023

Sure,
First of all, it appears that Safari is currently in favor of the CHIPS proposal (WebKit/standards-positions#50 (comment)). So I expect all mayor browsers to behave the same.

I propose, that there is a new annotation nginx.ingress.kubernetes.io/session-cookie-partitioned, with a value of "true" or "false". If the value is "true" it will add the Partitioned attribute to the cookie. A response header could look something like this.

Set-Cookie: _httpsvc_key=SIDUFWE.aosdivod....; path=/; Partitioned

@vseetha2007
Copy link

Any update on this?

@hetzer-financial-com
Copy link

This is fairly urgent, since Chrome has already started the phase-out process for third-party cookies (3PC) and has already stopped accepting 3PC without CHIPS for 1% of users since January 4th by default. That implies that session stickiness in a cross-domain context already stopped working for 1% of Chrome users. Full phase-out is scheduled for Q3 this year. See 3PC advisory from Google

@avif
Copy link

avif commented Mar 31, 2024

Partitioned

Maybe enforce "Secure" too in case it's partitioned.

@avif
Copy link

avif commented Apr 2, 2024

It seems that adding Partitioned attribute to the cookie is constrained by the underlying lua plugin "resty.cookie" not having support for it, Opened an issue here - but I'm just trying to move this along and I know nothing (feel free to wait for an adult).

@longwuyuan
Copy link
Contributor

/assign

@khujo when is this coming into affect ?

avif added a commit to avif/ingress-nginx that referenced this issue Apr 2, 2024
@avif
feature(cookie-affinity): Add partitioned cookie support (kubernetes#…
15e658d 
…10428)
@avif
Copy link

avif commented Apr 2, 2024

@longwuyuan I have implemented most of the changes in my fork here: https://github.com/avif/ingress-nginx/tree/partitioned-cookie-support - waiting on the "resty.cookie" merge.

@avif
Copy link

avif commented Apr 8, 2024

Partitioned cookie support has been merged to "resty.cookie" (v.0.3.0), I have updated my fork - will do some testing and submit a PR soon.

@avif avif linked a pull request Apr 9, 2024 that will close this issue
Open
10 tasks
@avif
Copy link

avif commented Apr 11, 2024

@longwuyuan FYI I submitted a PR.

@longwuyuan
Copy link
Contributor

longwuyuan commented Apr 12, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@longwuyuan longwuyuan

Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
[sig-network] Ingress-Nginx
Status: No status
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add partitioned cookie support for cookie-affinity avif/ingress-nginx
7 participants
@khujo @avif @longwuyuan @rikatz @vseetha2007 @k8s-ci-robot @hetzer-financial-com