Implemented Support SameSite cookie attribute

Xon

Well-known member
The SameSite cookie attribute is being rapidly adopted across browsers, and it backwards compatible.

Same-site cookies ("First-Party-Only" or "First-Party") allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.

For cross-site integration purposes, this likely needs to be a config.php level toggle.
 
Upvote 19
This suggestion has been implemented. Votes are no longer accepted.
With upcoming changes to Chome v80, it will default to Lax. While the current default is effectively SameSite=None, and in Firefox. There appears to be some compatibility "fun" with different browser defaults as well.
 
Hello Xon,

do you have any idea to fix this in a Xenforo 1.5.24 situation?

Since FireFox v77 all Firefox users have trouble to load my forums. When they load the site, the FF load not the actual content. But when these members press F5 to reload the site then she see the correct actual content. At the moment this is only with FF above v77 to see. Other browsers load actual content as before.

And I have no idea what FF changed with v77 and above that makes the trouble. So I think it can be to do with some cookie trouble. Or?
 
I upvoted it because of the security issues posed in the introduction.

However, does this mean that other sites can't read your cookies too? I think that other big sites can read cookies to see your browsing history, but unsure unless they are reading what you visit through a share button on that page too.
 
We added support for this in XF 2.2 by the way. Didn’t mention it sooner as I didn’t realise there was a suggestion for it. Cookies are Lax by default but can be set to First-Party on a cookie-by-cookie basis.

We don't immediately have any plans to use anything other than Lax hence no config switch.

To benefit you do require PHP 7.3 as that has the native ability to set the SameSite attribute.

No workarounds for older PHP planned. Upgrade your PHP!
 
Last edited:
It was just a general comment.

If you're running XF 1.5, no support can be provided. We can only recommend upgrading to XF 2.2 at this point (once it is stable).
 
XF 2.2 is not ready today I think you know that and if thats the problem we have with Firefox v77 and above (is it?) it will help my members not real to say them today in the near future it would be better when we can update to Xenforo 2.2 when this will be stable and all common add-ons are up to date with XF 2.2.
That can be end October or Christmas when it runs badly. ;)

I run 3 Xenforo boards, 2 with active licences - a hint how we can fix it today to bridge the time up to XF 2.2 would be real helpfull for us.

(That all, if I get ready that the trouble with FF v77 and above we have is based at this cookie problem we talk about here. Thats clear. :) )
 
I don't even have XF 1.5 code checked out anymore and for obvious reasons we will no longer be providing support for it in any circumstances directly, even if it was a security issue.

If you need advice for an XF 2.1 installation, please post a new (support) thread and I'll be able to post some rough guidance on the changes required but that may or may not help you with XF 1.5 depending on how similar the code is, or where the code is located in that version.
 
I don't see the answer to how this is implemented in this thread so I'm going to post this here, it's configurable for XF's core cookies with the config.php line:

$config['cookie']['samesite'] = 'Lax';

Edit: Don't use Strict folks, it's for banks only. Also it may work on Firefox but it won't work on chromium based browsers!
 
Last edited:
Top Bottom