Support for SameSite attribute in Set-Cookie header is needed #10384
Assignees
Labels
bug
This bug is not present in a released version of Open Liberty
in:Transport
release bug
This bug is present in a released version of Open Liberty
release:20002
team:Sirius
Comments
mrsaldana
added
the
bug
|
fixed by #10383 |
pnicolucci
added
in:Transport
release bug
28 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
With the upcoming stable version of Chrome 80, Chrome will treat cookies as SameSite=Lax by default if no SameSite attribute is specified.
More information can be found here:
https://www.chromestatus.com/feature/5088147346030592
Setting the cookie's SameSite option in application code by adding the "set-cookie" header can result in two separate cookies, instead of the SameSite attribute reconized as an attribute to the current cookie.
For instance, an expected HTTP header in the response using SameSite should read as:
Set-Cookie: sid=noS6xWtH3tdF6eLjQVngvqk; HttpOnly; Secure; SameSite=None
However, it could be split as:
Set-Cookie: sid=noS6xWtH3tdF6eLjQVngvqk; Secure; HttpOnly
Set-Cookie: SameSite=None
The text was updated successfully, but these errors were encountered: