allow SameSite cookie attribute to be configured #11210
Conversation
pdurbin
added
Size: 10
|
|
||
| ## Upgrade instructions | ||
|
|
||
| To bring your Dataverse installation in line with the new "Lax" (as opposed to "None") value described in [the guides](https://dataverse-guide--11210.org.readthedocs.build/en/11210/installation/config.html#samesite-cookie-attribute), we recommend running the following commands: |
There was a problem hiding this comment.
This sounds like doing nothing means an installation would be using SameSite:None, but I think by default current installation are not sending anything, which is interpreted as 'Lax' by modern browsers. I.e. installations aren't less safe if they do nothing. Maybe 'To explicitly specify the Lax setting or to switch to Strict, you can use the following commands...' ? Perhaps we should also say 'The value 'None' should never be used with Dataverse.' ?
Same issue for the other docs - Lax is a way to make the current default explicit and None should never be used.
There was a problem hiding this comment.
FWIW: Not sure how you got a None for the Jessionid in the picture - I see no setting at all at QDR and on a test server. Could you have had the http.cookie-same-site-enabled=true already?
|
|
||
| See :ref:`samesite-cookie-attribute` for context. | ||
|
|
||
| The Dataverse installer configures the Payara **server-config.network-config.protocols.protocol.http-listener-1.http.cookie-same-site-value** setting to "Lax". From `Payara's documentation <https://docs.payara.fish/community/docs/6.2024.6/Technical%20Documentation/Payara%20Server%20Documentation/General%20Administration/Administering%20HTTP%20Connectivity.html>`_, the other possible values are "Strict" or "None". To change this to "Strict", for example, you could run the following command... |
There was a problem hiding this comment.
The value for this appears to do nothing if the http.cookie-same-site-enabled isn't set to true.
Conversely, setting http.cookie-same-site-enabled=true without setting this one ends up sending None as the default which is worse than not having a SameSite setting at all. I think the docs should warn people about these issues.
There was a problem hiding this comment.
The bin/asadmin work fine on an existing installation. I did suggest some doc changes to clarify that installations are not less secure now that our recommendation of going to Lax, and to stress that using None on purpose, or accidentally increases risks.
Also - not sure why the build failed - from the log, it doesn't look related to the PR to me.
|
Another note - I think Strict breaks remote login - at least ORCID which is what I tested. Lax works as expected. |
What this PR does / why we need it:
This PR sets the SameSite cookie attribute to "Lax", which is more secure than "None" and documents how to change it to "Strict".
Which issue(s) this PR closes:
Special notes for your reviewer:
None.
Suggestions on how to test this:
Here's the "before" screenshot. Follow the docs and try to change the SameSite value.
Does this PR introduce a user interface change? If mockups are available, please link/include them here:
No.
Is there a release notes update needed for this change?:
Yes, included.
Additional documentation:
Preview docs at https://dataverse-guide--11210.org.readthedocs.build/en/11210/installation/config.html#samesite-cookie-attribute