XF 2.1 SameSite cookies and removal of anti-CSRF tokens

Fozzie

New member
Why aren't the xf_user and xf_session cookies set to SameSite Lax? Assuming all forms are using POST then authentication cookies with the SameSite Lax value will not be sent for cross origin requests, eliminating the need for any anti-CSRF tokens at all.

Both Chrome and Firefox now automatically set cookies that don't specify a SameSite policy to SameSite Lax so I don't see why it isn't explicitly set?

Is there a way to set these cookies to SameSite Lax and disable anti-CSRF tokens?
 
Last edited:
XF 2.2 has support for setting SameSite cookies if you are using PHP 7.3 or above and we use Lax as the default value. (New cookies set here since yesterday should now have the attribute showing).

We have no plans to eliminate the CSRF token.
 
XF 2.2 has support for setting SameSite cookies if you are using PHP 7.3 or above and we use Lax as the default value. (New cookies set here since yesterday should now have the attribute showing).

We have no plans to eliminate the CSRF token.
Thanks for the reply, but if all cookies are set with SameSite to Lax what is the point of the anti-CSRF token? Can you at least give us an option to remove it?
 
XF 2.2 has support for setting SameSite cookies if you are using PHP 7.3 or above and we use Lax as the default value. (New cookies set here since yesterday should now have the attribute showing).

We have no plans to eliminate the CSRF token.
Is there anything that needs to be done to enable SameSite cookies on XF 2.2 with PHP 7.3+?

I'm running PHP 7.4 and there is no "SameSite" attribute for the xf_session or xf_csrf cookies, and I don't see any such option in the AdminCP to enable it. I have checked several other XF 2.2 forums, including these here on XenForo.com, and I don't see the attribute set for them, either.

Here are my cookies for xenforo.com:

Screen Shot 2021-04-25 at 12.31.43 AM.webp
 
Confirmed. ;)
Our site also runs with PHP7.4.x and this attribute is not set at all.
Here at xenforto.com only the cookie __cfduid is marked with the samesite attribute (= Lax).
 
The default setting of a SameSite value was rolled back because of some browser issues (as I recall, specifically some situations where iOS stopped sending the cookie when it should've been sent).

It can still be opted into when setting specific cookies, but we don't set it by default at this time.
 
As a temporary patch, users with access to the Apache/domain configuration can add the following lines when the header module is loaded.

Apache config:
<IfModule mod_headers.c>
    Header always edit Set-Cookie (.*) "$1; SameSite=Lax"
    Header always edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
    Header always edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure"
    ## other settings...

</IfModule>

After restarting Apache, all cookies in this domain configuration should now have the attributes: secure, HttpOnly and SameSite=Lax.

Hth.
 
Back
Top Bottom