Opened 5 years ago
Closed 4 years ago
#1890 closed enhancement (fixed)
Cookie SameSite support for userid module
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | major | Milestone: | |
Component: | other | Version: | 1.17.x |
Keywords: | userid cookies | Cc: | |
uname -a: | Darwin Kernel Version 19.0.0: Thu Oct 17 16:17:15 PDT 2019; root:xnu-6153.41.3~29/RELEASE_X86_64 x86_64 | ||
nginx -V: |
nginx version: nginx/1.17.0
built by clang 10.0.1 (clang-1001.0.46.4) built with OpenSSL 1.0.2r 26 Feb 2019 (running with OpenSSL 1.0.2s 28 May 2019) TLS SNI support enabled configure arguments: --prefix=/usr/local/Cellar/nginx/1.17.0 --sbin-path=/usr/local/Cellar/nginx/1.17.0/bin/nginx --with-cc-opt='-I/usr/local/opt/pcre/include -I/usr/local/opt/openssl/include' --with-ld-opt='-L/usr/local/opt/pcre/lib -L/usr/local/opt/openssl/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --pid-path=/usr/local/var/run/nginx.pid --lock-path=/usr/local/var/run/nginx.lock --http-client-body-temp-path=/usr/local/var/run/nginx/client_body_temp --http-proxy-temp-path=/usr/local/var/run/nginx/proxy_temp --http-fastcgi-temp-path=/usr/local/var/run/nginx/fastcgi_temp --http-uwsgi-temp-path=/usr/local/var/run/nginx/uwsgi_temp --http-scgi-temp-path=/usr/local/var/run/nginx/scgi_temp --http-log-path=/usr/local/var/log/nginx/access.log --error-log-path=/usr/local/var/log/nginx/error.log --with-compat --with-debug --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-ipv6 --with-mail --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module |
Description
Upcoming release of Chrome 80 will make cookies with SameSite=Lax by default.
https://www.chromestatus.com/feature/5088147346030592
This will break our advertising and tracking mechanics. We are using userid cookie for many of our projects placed on subdomains.
For now, we are allowing crossdomain uid cookies with:
userid_path '/; Secure; SameSite=None';
But there is a problem with some old browsers: cookies with SameSite are declined
https://www.chromium.org/updates/same-site/incompatible-clients
Can we have option to control SameSite attribute in userid_module? And not enabling this feature for "incompatible-clients" list
PS: We could do this with map, but userid module doesn't support variables
map "$http_user_agent" $userid_path { default "/;"; "Chrome 64" "/; Secure; SameSite=None"; }
...
userid_path $userid_path;
Results:
Set-Cookie: uid_test=fwAAAV3KnIGr0OrKAwMFAg==; path=$userid_path
The userid_flags directive to provide additional cookie flags is available starting with nginx 1.19.3 (e3e8b8234f05, c0cacad62cc8). There are no plans to introduce client-specific compatibility checks.