Insecure cookies without SameSite attribute set

dirklammert

Member
Mar 7, 2019
5
3
3
NL
cPanel Access Level
Root Administrator
Chrome 80 will deprecate and remove the use of cookies with the SameSite=None attribute but without the Secure attribute. Any cookie that requests SameSite=None but is not marked Secure will be rejected (Reject insecure SameSite=None cookies - Chrome Platform Status).

In the browser console the following warning is thrown:
A cookie associated with a cross-site resource at <URL> was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
cPanel sets multiple cookies:
  1. cpsession (secure cookie without the SameSite attribute)
  2. timezone (unsecure cookie without the SameSite attribute)
  3. whostmgrsession (secure cookie without the SameSite attribute)
I kindly request all cookies to be set Secure and with the SameSite attribute (probably Lax, maybe Strict).

Thank you
 
Last edited by a moderator:

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
11,895
1,068
313
Houston
Hello,


For the suggestion, the best place to add this would be the feature request site at https://features.cpanel.net. If you do open a feature request please add a link here so others may vote on it.

You can add an apache include and use mod_headers to add the http headers for the SameSite attribute, this can also be done using an .htaccess file.

  1. cpsession (secure cookie without the SameSite attribute)
  2. timezone (unsecure cookie without the SameSite attribute)
  3. whostmgrsession (secure cookie without the SameSite attribute)
We do use strict IP validation and allow you to make some modifications to the configuration in this respect in WHM>>Service Configuration>>Tweak Settings which you may like to check out if you haven't yet.
 

dirklammert

Member
Mar 7, 2019
5
3
3
NL
cPanel Access Level
Root Administrator
Thank you for your reply but it is not an answer to this bug report.
I recommend your development team to read Developers: Get Ready for New SameSite=None; Secure Cookie Settings and prepare for the Chrome update of February 2020.
Thanks again
 
Last edited by a moderator:

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
11,895
1,068
313
Houston
Hello,

We do appreciate the suggestion but this wouldn't be considered a bug. A bug is something that doesn't function as intended. This is an addition to the product you're requesting and it would be considered a feature request and that should be requested in the proper place to receive the attention it deserves.

Thank you.
 

Cloud9

Well-Known Member
Sep 17, 2012
46
0
6
UK
cPanel Access Level
Root Administrator
@cPanelLauren To implement set cookies to strict and http secure would this be the line I need to add to apache pre main include config apache 2.2.4

Code:
Header always set Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict