Skip Menu |

This queue is for tickets about the Catalyst-Plugin-Session-State-Cookie CPAN distribution.

Report information
The Basics
Id: 133009
Status: open
Priority: 0/
Queue: Catalyst-Plugin-Session-State-Cookie

Owner: Nobody in particular
Requestors: postmaster [...]

Bug Information
Severity: Normal
Broken in: 0.17
Fixed in: (no value)

Subject: Firefox warns that cookies generated by Catalyst will be rejected in future
Download (untitled) / with headers
text/plain 1.4k
Hello, I'm using Catalyst::Plugin::Session::State::Cookie to have sessions within my pages. While developing I noticed that Firefox in its most recent version (78.0.2) is complaining in the console that my cookies are misusing the sameSite attribute: Message in console: Cookie “my_site_session” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read In catalyst I have following code to configure my site and the Cookie Plugin: use Catalyst qw/ ConfigLoader Static::Simple Session Session::Store::FastMmap Session::State::Cookie Authentication Authorization::Roles /; If found that I can set the secure flag by adding to my config: __PACKAGE__->config('Plugin::Session' => { cookie_secure => 1, }); This solves my immediate concern because now Firefox doesn't complain any more. But it doesn't feel like a fundamental good solution. Looking through the code of the module I don't see the variable "SameSite" explicitly set. Hence I suppose Firefox detects it as having the value "None". I'm not familiar with the innards of Catalyst and I don't know if the cookie is handled somewhere else in Catalyst before sending. But I was wondering if this module should not set the "SameSite" variable in a Cookie by default to "Lax" as it is the expected default. Kind regards
Download (untitled) / with headers
text/plain 292b
I can confirm that in version 0.18 the issue is solved. Small note however, it is not enough to have Catalyst::Runtime 5.90125, but you need as well to check the version of CGI::Simple. With CGI::Simple 1.25 the problem is solved. Thank you very much for this quick resolution. Kind regards

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to