- Description has changed: Diff:
~~~~ --- old +++ new @@ -1,2 +1 @@ - `Cookie “_session_id” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies` ~~~~ - **status**: review --> open - **Comment**: Seeing same warning for `memorable_forget`. Probably `site-notification` cookie needs it too. Allura can run without https, in fact that's the default for a docker develoment instance. And then setting `secure` flag on the cookie means it doesn't work and you can't submit any form successfully. Could check `beaker.session.secure` config and only do secure if that is secure. Or set `SameSite=Strict`, seems like that would be ok we don't need these cookies shared? But might be good to have cookies flagged as secure whenever possible anyway.` --- ** [tickets:#8362] Fix cookie lacking secure attribute** **Status:** open **Milestone:** unreleased **Created:** Fri May 29, 2020 02:52 PM UTC by Kenton Taylor **Last Updated:** Fri May 29, 2020 02:57 PM UTC **Owner:** Kenton Taylor `Cookie “_session_id” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies` --- Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
