Issue #00005571

Title:

Improved handling of cookies - added sameSite=Strict to OpenWGA cookies

Category:

WGAPI

Type:

Feature/Improvement

Closed in Version:

7.8.1

Description:

Some browsers do not longer accept cookies without a "sameSite" value set.

We changed the internal used cookies to write "sameSite=Strict" now. This ist true for the followig cookies

WGPID
WGLastRedirectHex
WGSESSIONID / WGSECURESESSIONID (if used)

In addition we added new methods to api.Cookie:

setSameSite(value)              // set sameSite value (default=Strict)
setValue(value, "hex"|"base64") // encode value to HEX or Base64
getValue("hex"|"base64")        // decode value from HEX or Base64
write()                         // write cookie to HTTP-Header

All setters now return the cookie object itself to that methods can be chained.

Sample:

WGA.Call().createCookie("my-cookie")
    .setValue("some value", "base64")
    .setSameSite("Strict")
    .write()

Note:

WGA.Call().addCookie() is unchanged and does NOT set sameSite value. Use the new Cookie.write() method instead.

About JSESSIONID cookie:

This cookie is created and managed by the underlying App-Server (tomcat) and we have no influence here. This means that this cookie still does not write a sameSite value to the cookie. To avoid this you should use the optional OpenWGA session management. In this case a WGSESSIONID cookie is created. Because this cookie is under our control we set samesite=Strict on this cookie.

OpenWGA / womodo Issue Tracker

Project

Contents

Issue #00005571