Project

General

Profile

Actions

Bug #15729

closed

Session cookie warnings

Added by GChuf 6 2 months ago. Updated 19 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Dashboard
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.11
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

PR: https://github.com/pfsense/pfsense/pull/4700

Firefox outputs warnings in the console about the cookies not having a samesite attribute, and that the attribute's value will be treated as "lax" if no changes are made.


Files

samesite.png (86.2 KB) samesite.png GChuf 6, 09/16/2024 08:55 PM
Actions #1

Updated by GChuf 6 about 2 months ago

  • Status changed from Ready To Test to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Christopher Cope about 1 month ago

  • Status changed from Feedback to Confirmed

Tested on

24.11-ALPHA (amd64)
built on Fri Oct 11 19:54:00 UTC 2024
FreeBSD 15.0-CURRENT

Several of the errors are no longer present, but it seems there are still some that aren't fixed, such as:

Cookie “treegrid-disks-0” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Actions #3

Updated by GChuf 6 about 1 month ago

disks.widget.php has some additional cookie code that is causing the warning.
Since the cookies seem to be handled in auth.inc, I deleted some code from disks widget.
The warning has disappeared and the cookies look OK.

PR:
https://github.com/pfsense/pfsense/pull/4705

Actions #4

Updated by Marcos M about 1 month ago

  • Subject changed from Add samesite attribute to session cookies to Address dashboard session cookie warnings
  • Status changed from Confirmed to Resolved
  • Target version set to 2.8.0
  • Plus Target Version set to 24.11

The treegrid cookies for the Disk and ZFS widgets have been removed. With the widget-specific cookies removed, treegrid keeps the collapse state between both page reloads and widget refreshes.

Actions #5

Updated by Jim Pingle 19 days ago

  • Tracker changed from Todo to Bug
  • Subject changed from Address dashboard session cookie warnings to Session cookie warnings
  • Category changed from Web Interface to Dashboard
Actions

Also available in: Atom PDF