XF 2.2 Is There Still a Reason to Not Use SameSite Strict or Lax for Cookies?

[⭐ Alex ⭐]

I've put $config['cookie']['samesite'] = 'Strict'; into my config.php, deleted my cookies and verified their SameSite attribute are set to Strict.

Then I tried accessing my forum from a link on social media.

I also tried registering using a social media account and logging in.

Everything seems to work flawlessly and I'm still logged in even though technically in Strict mode, cookies aren't sent with the initial request to the forum from other websites unlike Lax. Im assuming XenForo uses javascript and AJAX to do authentication after the page has partially loaded, so that even if cookies don't send on the first request, I'm still logged in anyways.

So, is there still a reason to use SameSite: None or have all browser bugs and other issues been fixed by now?

Edit: Firefox 119.0 is weird and works with cookies SameSite set to Strict.

 

[Jeremy P]

By default, XF does not set a value and browsers enforce their default policy (Lax or None). Explicitly setting Strict will cause issues for cross-site navigations, and XF does not make any attempt to work around this since doing so would negate the purpose of the policy to begin with. I'm not sure why you would appear to be authenticated in this situation, but the utility of using Strict over Lax is pretty limited anyway.

 

[⭐ Alex ⭐]

The cookies were set to None explicitly in my case, and I believe that's because the policy of Lax was rolled back as stated by Mike (correct me if Im wrong):

XF 2.1 - SameSite cookies and removal of anti-CSRF tokens

Why aren't the xf_user and xf_session cookies set to SameSite Lax? Assuming all forms are using POST then authentication cookies with the SameSite Lax value will not be sent for cross origin requests, eliminating the need for any anti-CSRF tokens at all. Both Chrome and Firefox now...

xenforo.com

Since there were bugs in chrome back then.

They are also set to SameSite None on xenforo.com

 

[Jeremy P]

The pertinent change there was that XF stopped setting any explicit policy and allowed browsers to enforce their default policy. The default policy varies by browser. Prior to that change XF had set Lax explicitly, overriding the browser's default policy, which causes issues due to bugs in some browsers which have not yet switched their default policy.

If your cookies were explicitly set to None then it was either because that was configured in XF, or your web server, browser, or other intermediate service sets a policy for cookies without one.

 

[⭐ Alex ⭐]

Okay I tested in chromium and Strict breaks staying logged in from another website. Strange that it works on firefox, something funky must be happening.

 

[Jeremy P]

They are also set to SameSite None on xenforo.com

This may be due to a browser extension then as that is not actually the case for XF.com:

Okay I tested in chromium and Strict breaks staying logged in from another website. Strange that it works on firefox, something funky must be happening.

I can't speculate as to why it would work in Firefox, but it's not supposed to. Frankly the ranges kind of fall into:

1) I am operating a site that does not care much about security (None)
2) I am operating a site that is pragmatic about security (Lax)
3) I am operating the control panel for a nuclear reactor or financial institution (Strict)

 

[⭐ Alex ⭐]

If your cookies were explicitly set to None then it was either because that was configured explicitly in XF or your web server (or other intermediate service) set an explicit policy for cookies without one.

It's strange because Firefox isn't complaining about XenForo's cookies lacking SameSite. It only complains about the _gd cookie that Froala sets.


So it would seem None is being explicitly set.



... And very interesting, In chromium the SameSite is just missing.


Interesting indeed. Maybe Im missing the firefox warning because the cookie gets set when I'm not looking at web developer tools.

That means that Firefox has not yet begun setting SameSite Lax into all cookies then. And I'm using up to date firefox. (119.0)



And I don't have a non-default value in my config otherwise that false would be in bold.

Can XenForo start shipping with Lax explicitly set? Bugs. gotcha.

Thanks for clearing this up for me. Cheers!

 

[Jeremy P]

Ah, I was mistaken. Firefox and Safari have not yet changed their default policy. I've edited my posts to prevent confusion for future readers. Firefox also displays the default policy value in the inspector whereas Chrome just leaves it blank. I'm a bit surprised as Chrome changed the default policy years ago, but it appears to be because they deploy exceptions as mitigations for common breakages that others have yet to implement.

I don't think Lax should be troublesome for XF, but I'd still be reluctant to ship it by default given some browsers still have bugs in their implementation. I would take the browsers setting Lax as their default policy as a stronger signal that it should function as anticipated and leave it up to them.

 

[⭐ Alex ⭐]

Ah, I was mistaken. Firefox and Safari have not yet changed their default policy. I've edited my posts to prevent confusion for future readers. Firefox also displays the default policy value in the inspector whereas Chrome just leaves it blank. I'm a bit surprised as Chrome changed the default policy years ago, but it appears to be because they deploy exceptions as mitigations for common breakages that others have yet to implement.

I don't think Lax should be troublesome for XF, but I'd still be reluctant to ship it by default given some browsers still have bugs in their implementation. I would take the browsers setting Lax as their default policy as a stronger signal that it should function as anticipated and leave it up to them.

Actually I tested with Brave. Could be the discrepancy there.