Insecure cookies without SameSite attribute set

dirklammert · Nov 25, 2019

Chrome 80 will deprecate and remove the use of cookies with the SameSite=None attribute but without the Secure attribute. Any cookie that requests SameSite=None but is not marked Secure will be rejected (Reject insecure SameSite=None cookies - Chrome Platform Status).

In the browser console the following warning is thrown:

A cookie associated with a cross-site resource at <URL> was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.

cPanel sets multiple cookies:

cpsession (secure cookie without the SameSite attribute)
timezone (unsecure cookie without the SameSite attribute)
whostmgrsession (secure cookie without the SameSite attribute)

I kindly request all cookies to be set Secure and with the SameSite attribute (probably Lax, maybe Strict).

Thank you

cPanelLauren · Nov 26, 2019

Hello,

For the suggestion, the best place to add this would be the feature request site at https://features.cpanel.net. If you do open a feature request please add a link here so others may vote on it.

You can add an apache include and use mod_headers to add the http headers for the SameSite attribute, this can also be done using an .htaccess file.

dirklammert said:
cpsession (secure cookie without the SameSite attribute)

timezone (unsecure cookie without the SameSite attribute)

whostmgrsession (secure cookie without the SameSite attribute)

We do use strict IP validation and allow you to make some modifications to the configuration in this respect in WHM>>Service Configuration>>Tweak Settings which you may like to check out if you haven't yet.

dirklammert · Nov 26, 2019

Thank you for your reply but it is not an answer to this bug report.
I recommend your development team to read Developers: Get Ready for New SameSite=None; Secure Cookie Settings and prepare for the Chrome update of February 2020.
Thanks again

cPanelLauren · Nov 26, 2019

Hello,

We do appreciate the suggestion but this wouldn't be considered a bug. A bug is something that doesn't function as intended. This is an addition to the product you're requesting and it would be considered a feature request and that should be requested in the proper place to receive the attention it deserves.

Thank you.

Cloud9 · Jun 20, 2020

@cPanelLauren To implement set cookies to strict and http secure would this be the line I need to add to apache pre main include config apache 2.2.4

Code:

Header always set Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict

cPanelLauren · Jun 30, 2020

Hello @Cloud9

I do believe that would work but I am more concerned with why you're using Apache 2.2 at all?

Thread starter	Similar threads	Forum	Replies	Date
S	Curl 7.37.1 and Insecure Ciphers	Web Servers and Applications	0	Sep 9, 2014
G	vBulletin insecure?	Web Servers and Applications	7	Jan 29, 2009
O	You are running an insecure apache setup. (Merged)	Web Servers and Applications	69	May 23, 2006
	Disable insecure Cpanel cgi-sys scripts -- ¿?¿?	Web Servers and Applications	1	Mar 4, 2006
J	insecure phpBB scripts	Web Servers and Applications	0	May 8, 2005

Search

Search

Insecure cookies without SameSite attribute set

dirklammert

Member

cPanelLauren

Product Owner II

dirklammert

Member

cPanelLauren

Product Owner II

Cloud9

Well-Known Member

cPanelLauren

Product Owner II