SameSite=none on session cookie

[travisspencer]

The test tools session cookie does not have a SameSite attribute. We foresee this causing problems in some of our tests where we vary the user agent, version, and domains. We haven't seen any issues yet, but wanted to raise it given all the issues we've been seeing lately with this new cookie flag. Our suggestion is to add SameSite=None on its session cookie.

[rohe]

Hmm, I'm not sure we can do this. Depends on whether CherryPy which is the framework we use for the test tool supports it. I'll try to find out.

[rohe]

Actually, we've locked the test framework to an older CherryPy version which don't have any support for SameSite. Since the Python framework is soon to be decommissioned I can't see us spending the time necessary to move to the latest version (Still not sure the latest version supports SameSite).

[travisspencer]

In the end, it's just an HTTP response header, right? Loop over and add SameSite=None if the header name is Set-Cookie and the value starts with sessionid. Seems easy. Point me to where, and I'll send a PR.

[rohe]

Right now I/we leave it to the CherryPy software to issue session cookies. Which means it all happens in the background. Out of sight for me.

[travisspencer]

Ah, but in CherryPy, you can add a post-request filter, right? There this kinda header post-processing could occur. I worked with CherryPy years ago, and then only doing pre-request handling for authentication. It's a very flexible framework though, so I'd be surprised if there wasn't some kinda post-processing hook as well. Do you know if there is? Could that be used do you think?

[rohe]

I'ver never worked with CherryPy on that level. Well, like you I've done pre-request handling. Don't know about post-processing but it's worth looking into.