Opened 7 months ago

Last modified 5 months ago

#2547 new enhancement

Support Partitioned Cookies for load balancing according to CHIPS

Reported by: schnieders@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.25.x
Keywords: cookie, loadbalancing, chips Cc:
uname -a:
nginx -V: 1.25

Description

All browsers will (or already have) restrict their 3rd-Party-Cookie handling to prevent user tracking. You are affected using nginx load balancer functionality in the following use case:

  • Your application is integrated in a 3rd-Party context
  • You are tied to a local state on a certain deployment unit
  • You use a sticky session cookie for load balancing

In such cases, the 3rd-Party session cookie will be blocked by the browser and your application will probably not work correctly. Safari blocks them already, Chrome and Firefox will do so, starting in mid 2024. To support such a use case as mentioned, CHIPS was introduced (https://github.com/privacycg/CHIPS). CHIPS will be supported by

  • Chrome
  • Firefox
  • Safari/Webkit seems to be undecided yet
  • Microsoft Edge might follow Chrome, since it's quite the same basis

Technically, CHIPS defines the cookie attribute "Partitioned", that will be handled by the browser in a certain jar for the 3rd-Party context within the 1st-Party context. So a tracking for multiple sites is not possible.

nginx should support Partitioned Cookies. The existing configuration could be extended as follows

upstream backend {
    server backend1.example.com route=a;
    server backend2.example.com route=b;

    sticky cookie srv_id expires=1h domain=.example.com samesite=none secure path=/ partitioned;
}

that results in an HTTP-Response Header value like this:

Set-Cookie: __Host-SID=31d4d96e407aad42; SameSite=None; Secure; Path=/; Partitioned;

(example is copied from the CHIPS proposal site)

Change History (3)

comment:1 by Maxim Dounin, 7 months ago

The sticky directive is only available in the commercial subscription, NGINX Plus, and if you want it there, consider writing to your support contact. This issue tracker is about nginx, which is an open source server, and not NGINX Plus.

In nginx, however, there are other directives which provide work with cookie attributes: userid_flags and proxy_cookie_flags. It might be a good idea to support the Partitioned attribute in these directives if/when it will be supported by browsers.

From what I see at CHIPS and in your Traefik issue, as of now both Mozilla and Chrome use partitioning by default (so the attribute is not needed), and Safari do not allow 3rd party cookies at all (and the attribute is not supported). As such, as of now this attribute is mostly useless. Things might change if there will be browsers which actually use this attribute.

comment:2 by schnieders@…, 7 months ago

Hi Maxim Dounin,

thank you for your reply. I will consider contacting the nginx plus support.

As far as I understand, Chrome, Mozilla and co uses partitioning by default only for storage access for 3rd-Party integrations. They do not block 3rd-Party cookies yet (yes, Safari already do), they will start in mid 2024. But you, or your company IT administrator, can already block 3rd-Party cookies in the browser settings or via IT policy.

According to Chrome documentation, you might consider using CHIPS to continue using 3rd-Party cookies in your application. CHIPS is already implemented in Chrome and activated by default, so the attribute can to be useful yet. But it depends on the certain usage in your application.

Last edited 7 months ago by schnieders@… (previous) (diff)

in reply to:  2 comment:3 by dkolb@…, 5 months ago

Google will move forward with Chrome blocking 3rd party cookies lacking the Partitioned attribute by default starting in Q1 of 2024. This will impact resources loaded inside of iframes and certain Single Logout use cases we support.

We are currently hacking in the Partitioned attribute using proxy_cookie_path, similar to how people were doing it before proxy_cookie_flags was introduced. It'd be nice to have baked in support for the Partitioned flag so we don't double-add the attribute once our backend teams start to add the flag themselves.

Note: See TracTickets for help on using tickets.