search

octobercms / october

Self-hosted CMS platform based on the Laravel PHP Framework.
https://octobercms.com/
Other
11.03k stars 2.21k forks source link

Browser update for cookies starting in 2020 (notes for admins and everyone) #4752

Closed summercms closed 4 years ago

summercms commented 5 years ago

I write this post to help the admins and everyone out.

I will update it when I get new infomation from different browsers, from time to time.

(Maybe the admins want to delete this post and move it to the correct location - I leave it up to them to decide).

New changes

You should set the october_session cookie to the following:

If you are using October to create an API or embed etc. which will be used on a third party website you should set the following:

Google Chrome

Deadline for stable version is 4th feb 2020 (Chrome V80). Chrome dev and Chrome Canary are already running this update, for more information see here: https://www.chromium.org/updates/same-site

To test your website you can use the following things:

image

Above is what experiments I have turned on.

chrome://flags/#same-site-by-default-cookies
chrome://flags/#enable-removing-all-third-party-cookies
chrome://flags/#cookies-without-same-site-must-be-secure

Microsoft Edge

Microsoft are going ahead and updating their browser and this update will take place when Edge V80 comes out. Please note, Edge versions come out one version before Chrome versions so this update should go live before feb 2020.

Firefox

Today I have seen in Firefox Nightly, firefox's setup here are some screenshots of what I'm seeing:

image

and

image

Note: Firefox is doing the same as Chrome and Microsoft and setting Lax as the default and Strict is a higher secure version! I have been running SameSite Strict for 1-2 years now with October websites and had no problems. I recommend setting Strict and testing to see if you have any problems and then moving down to Lax.

Safari

Safari team have said they are going to update their cookies in their browser as well. I can't give an exact date, but expect them to follow quickly.

PHP

I believe that you need to use 7.3 or above with SameSite to work correctly, see here: https://wiki.php.net/rfc/same-site-cookie (PHP 7.3 via commit 08b9310 and 2b58ab2).

Therefore you will need to run October CMS with PHP 7.3 or greater (starting from 2020).

Side note: PHP 7.4 is scheduled to be released on November 28, 2019. Changelog: https://www.php.net/manual/en/doc.changelog.php

Security as default

I did ask the admins if we could set the October config files to:

Just to prevent users running into a grey screen when trying to load a website. In Google Canary V80 websites with insecure cookies, load, but appear blank.

Links

https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

Any questions ask _rowanm a Googler working on this, you can post questions in Stack Overflow and he will answer them, or you can message him in Github or Twitter etc.

He is also going to do a talk on this on 11th nov 2019 at the Google Chrome Live, see here: https://github.com/GoogleChrome/devsummit/pull/328

Bug in October

There is a bug in October I submitted several months ago found here: https://github.com/octobercms/october/issues/3893

If you can not get SameSite to work in October using the config files, you can force it through .HTaccess by using the following code:

#Force PHP 7.3
AddType application/x-httpd-php70 .php .php70
AddHandler application/x-httpd-php73 .php .php5 .php4 .php3

# Setup Cookies
<IfModule mod_headers.c>
    Header always edit Set-Cookie (.*) "$1; HTTPOnly"
    Header always edit Set-Cookie (.*) "$1; Secure"
    Header always edit Set-Cookie (.*) "$1; SameSite=Strict"
</IfModule>

Common Issues

Javascript cookies (insecure)

The most common issue would probably be a website running a cookie banner to pass something like GDPR. If that plugin is using javascript to create the cookie to remember the users settings then it will get blocked by default. Switch from javascript to php cookies.

Third-Party cookies

You will find many third-party sources failing to pass this update right now, for example Cloudflare's __cfduid cookie, see here: https://community.cloudflare.com/t/google-chrome-warning-about-cloudflare-cookie/123192

Another example is Google Analytics _ga cookie, see here: https://support.google.com/chrome/thread/16654793?hl=en

You don't need to do anything for third-party cookies! They will sort them out for you! Only worry about cookies you create and host.

Lastly

If you come across any insecure cookies in October please email the admins to fix.

(hopefully this post is useful to everyone)

github-actions[bot] commented 4 years ago

This issue will be closed and archived in 3 days, as there has been no activity in the last 30 days. If this issue is still relevant or you would like to see it actioned, please respond and we will re-open this issue.

summercms commented 4 years ago

Note: Issue with Windows 10 and SameSite Google Chrome V80, users need to install KB4534273

See here for link: https://support.microsoft.com/en-gb/help/4534273/windows-10-update-kb4534273