Lucee, Chrome and missing sessions even after applying SameSite to cookies

Hi

I’m trying to get to the bottom of an issue we’ve recently started experiencing with Chrome and dropped sessions in a mature application. I’m getting increasingly confused in trying to debug it so I’m posting here in the hope that someone might help me see the wood for the trees !

Any help would be greatly appreciated.

The app is an e-store - shoppers go through a selection process to get stock which is retained in their session, we redirect (in an iframe) to a payment gateway (Paydoo) which then posts a result back to our payment results page (not in an iframe).

In all other browsers apart from Chrome 86, the payment results page happily takes the post, combines it with what’s in the session and processes orders normally. In Chrome 86, nothing happens, we just get a blank page.

Initially, the Chrome console was indicating an issue that SameSite needed to be set on cookies, which we duly applied via an Apache header directive. We also had some third party cookies which we removed. However this don’t fix the issue.

The cookies look OK to me

We have had to experiment with values - SameSite=Strict broke sessions altogether in the app, SameSite=Secure didn’t appear to do anything and triggered errors in the console advising that SameSite attribution was required

but I’m wondering if we need to change our session management which is currently set like this

<cfset this.applicationTimeout = createTimeSpan(1,0,0,0) />
<cfset this.clientManagement = true />
<cfset this.sessionManagement = true />
<cfset this.sessionTimeout = createTimeSpan(0,0,9,0) />
<cfset this.setClientCookies = true />
<cfset this.sessionCookie.secure = true />
<cfset this.sessionCookie.httpOnly = true />
<cfset this.setDomainCookies = true />

Or we need to upgrade to a later Lucee (we are on 5.3.3.62)

Just looking for a steer really - has anyone seen anything like this before - or something stupid in my code?

Thanks for reading

Cheers
Dom

Samesite support was added in Lucee 5.3.7

There are only three valid options for samesite: strict, none or lax. Secure isn’t a valid option.

in Application.cfc you can use the following setting for session cookies

this.sessionCookie.sameSite = "strict|none|lax";

Trying to do stuff in the iframe is probably what is causing your problems, you probably need to be redirecting the whole page to paydoo and then back to your site

Many thanks Zac

Yeah, it’s weird the advice in the Chrome Issues panel discusses a “Secure” value but I haven’t been able to find any further info on it elsewhere.

I will see if setting SameSite in Application.cfc has any effect.

We do redirect out of the iframe to the Paydoo processing page and then rest of the process (a redirect to 3DS, then another back to Paydoo then another back to us) occurs full page.

secure is a separate option which means only serve this cookie over https

one thing I’ve noticed is that existing cookies might not get updated with samesite, you need to expire them first, then re-issue them