On Tue, Jan 21, 2020 at 9:26 PM Bert JW Regeer <[email protected]> wrote [on pylons-devel]: > A new version of WebOb has been released, version 1.8.6 > > This adds a new option for the SameSite cookie attribute to match the draft > RFC that Google has implemented in their browser Chrome. > > https://pypi.org/project/WebOb/1.8.6/
I'm trying to get my head around this 'samesite=none' and 'samesite=lax' issue. I have a Pylons application with Beaker sessions that share the cookie between two sites: the main website (mysite.parent.com) and a mobile-optimized view (m.mysite.parent.com). Users can switch to the other site via "Mobile Site" and "Main Site" links, and their session state should follow them. Currently this works with the configuration: beaker.session.cookie_domain = .mysite.parent.com beaker.session.httponly = true beaker.session.save_accessed_time = true beaker.session.secret = ... beaker.session.secure = true beaker.session.timeout = 172800 beaker.session.type = ext:redis beaker.session-url = redis://redis/1 The "cookie_domain" setting allows the cookie to be shared within the domain familly. My question is, will Chrome's changes in February break the session sharing? Should I set 'beaker.session.samesite = none' or 'beaker.session.samesite = lax'? Do I need to upgrade from Beaker 1.10.0 to 1.11.0? The site is working now on Chrome 78.0.3945.117. >From what I've gathered in the WebOb description and issues, linked references to Chrome blogs and OWASP, and Beaker's changelong and commits, the 'samesite' attribute was added to Beaker before 1,10.0 and defaults to 'lax', and Beaker 1.10.1 filled some gaps in the default But now the Chrome reference seems to say 'lax' won't be good enough anymore, you need to set 'none', but 'none' is not implemented yet in many browsers. And a WebOb issue comment says Google implemented an expired draft spec and is shoving it onto users to railroad the web industry into its vision, and the spec itself is rapidly changing so I may have to update my site mulitple times as it evolves. There are also explanations of cross-site vs same-site activity, and that cross-domain GET hyperlinks are usually safe and give the example of a cross-site request (an advertising link or an image on another site) vs same-site request (a link to the same domain as in the address bar). My use case seems to fall in between, sharing within a family of domains as specified by the 'cookie_domain' attribute. So is it "same-site" or "cross-site", and do I need to change my configuraton to keep it working in future browsers? Beaker changelog (see 1.11.0, 1.10.1, 1.10.0) https://github.com/bbangert/beaker/blob/master/CHANGELOG Beaker session doc (see section "Cookie security") https://github.com/bbangert/beaker/blob/master/beaker/docs/sessions.rst Beaker commit in 1.11.0 https://github.com/bbangert/beaker/commit/111ad13fc57350eddd8972dae0c82a92f6327f29 Beaker commit in 1.10.1 https://github.com/bbangert/beaker/commit/b60a46db0baf59caa817f12634dea183be2e38a4 OWASP samesite recommendation https://www.owasp.org/index.php/SameSite WebOb changelog https://pypi.org/project/WebOb/ WebLog samesite issue https://github.com/Pylons/webob/issues/406 WebOb pull request https://github.com/Pylons/webob/pull/407 WebOb samesite issue 2 https://github.com/Pylons/webob/pull/407 IETF draft spec (expired) https://tools.ietf.org/html/draft-west-cookie-incrementalism-00 Chromium: explanation https://blog.chromium.org/2019/10/developers-get-ready-for-new.html Chromium: list of incompatible clients (i.e., browsers) https://www.chromium.org/updates/same-site/incompatible-clients Mozilla: explanation https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/ P.S. The site is still on Python 2.7. Is there any hope of Pylons becoming Python 3 compatible? We don't have the resources to migrate it to Pyramid; the next migration will probably be Javascript. (We already have a Javascript mobile app; we just need to port it to the web and work around it needing a SQLite database.) -- Mike Orr <[email protected]> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3DuoHvfvvdcgCznGr0AuQA-65tDsCm15ZLUTTbzfSBnLBdA%40mail.gmail.com.
