apache-samesite

This repo contains snippets useful for the SameSite cookie migration happening in early 2020.

Config

Review the config file in this repo. It assumes you just want to temporarily slap SameSite=none on every Set-Cookie without a SameSite parameter, but has some additional examples including/excluding specific cookie names.

Testing

You can simulate some headers easily by setting globally:

Header always add Set-Cookie FOO1=BAR
Header always add Set-Cookie "FOO2=BAZ; Domain=example.com"
Header always add Set-Cookie "FOO2a=BAZ;Domain=example.com; SECURE"
Header always add Set-Cookie "FOO2b=BAZ; Domain=example.com; SECURE  "
Header always add Set-Cookie "FOO2c=BAZ; SECURE; Domain=example.com "
Header always add Set-Cookie "FOO3=BAZ; Domain=example.com ; SameSite=Strict"
Header always add Set-Cookie "FOO4=BAZ; Domain=example.com ; SAMESITE=Strict"

Then send some test requests varying the user-agent:

wget -qS http://localhost -O-
wget -qS -U "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.34 Safari/534.24." http://localhost
# No change to FOO1 and FOO2 since this is an interolerant one!
wget -qS -U "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/60.0.696.34 Safari/534.24." http://localhost
wget -qS -U "Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/69.0.696.34 Safari/534.24." http://localhost

Why not

I need Apache 2.2 support.

Why not whitelist browsers?

Chrome UA strings are complicated when considering e.g. mobile: https://developer.chrome.com/multidevice/user-agent