Opened 5 years ago

Closed 4 years ago

#1890 closed enhancement (fixed)

Cookie SameSite support for userid module

Reported by: c1aphas@… Owned by:
Priority: major Milestone:
Component: other Version: 1.17.x
Keywords: userid cookies Cc:
uname -a: Darwin Kernel Version 19.0.0: Thu Oct 17 16:17:15 PDT 2019; root:xnu-6153.41.3~29/RELEASE_X86_64 x86_64
nginx -V: nginx version: nginx/1.17.0
built by clang 10.0.1 (clang-1001.0.46.4)
built with OpenSSL 1.0.2r 26 Feb 2019 (running with OpenSSL 1.0.2s 28 May 2019)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/Cellar/nginx/1.17.0 --sbin-path=/usr/local/Cellar/nginx/1.17.0/bin/nginx --with-cc-opt='-I/usr/local/opt/pcre/include -I/usr/local/opt/openssl/include' --with-ld-opt='-L/usr/local/opt/pcre/lib -L/usr/local/opt/openssl/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --pid-path=/usr/local/var/run/nginx.pid --lock-path=/usr/local/var/run/nginx.lock --http-client-body-temp-path=/usr/local/var/run/nginx/client_body_temp --http-proxy-temp-path=/usr/local/var/run/nginx/proxy_temp --http-fastcgi-temp-path=/usr/local/var/run/nginx/fastcgi_temp --http-uwsgi-temp-path=/usr/local/var/run/nginx/uwsgi_temp --http-scgi-temp-path=/usr/local/var/run/nginx/scgi_temp --http-log-path=/usr/local/var/log/nginx/access.log --error-log-path=/usr/local/var/log/nginx/error.log --with-compat --with-debug --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-ipv6 --with-mail --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module

Description

Upcoming release of Chrome 80 will make cookies with SameSite=Lax by default.
https://www.chromestatus.com/feature/5088147346030592
This will break our advertising and tracking mechanics. We are using userid cookie for many of our projects placed on subdomains.
For now, we are allowing crossdomain uid cookies with:

userid_path '/; Secure; SameSite=None';

But there is a problem with some old browsers: cookies with SameSite are declined
https://www.chromium.org/updates/same-site/incompatible-clients

Can we have option to control SameSite attribute in userid_module? And not enabling this feature for "incompatible-clients" list

PS: We could do this with map, but userid module doesn't support variables

map "$http_user_agent" $userid_path {
    default                     "/;";
    "Chrome 64"                  "/; Secure; SameSite=None";
}

...

userid_path $userid_path;

Results:

Set-Cookie: uid_test=fwAAAV3KnIGr0OrKAwMFAg==; path=$userid_path

Change History (1)

comment:1 by Maxim Dounin, 4 years ago

Resolution: fixed
Status: newclosed

The userid_flags directive to provide additional cookie flags is available starting with nginx 1.19.3 (e3e8b8234f05, c0cacad62cc8). There are no plans to introduce client-specific compatibility checks.

Note: See TracTickets for help on using tickets.