Rick,
I noticed a gift from google chrome today when looking in the dev console.
Thoughts?
Maybe you should be a little less cryptic with your oracle proclamations? 😉
Sorry Rick - was short on time. I had hoped you'd see the subject and be like 'oh that...'
I was doing some console debugging and noticed a reference to this error "Reject insecure SameSite=None cookies" with a link pointing to here for more info - - The poignant change in Chrome is this "Deprecate and remove the use of cookies with the SameSite=None attribute but without the Secure attribute. Any cookie that requests SameSite=None but is not marked Secure will be rejected."
I believe we may need to add some attributes to the cookies that the WWWC platform writes, or if you already have a way to do this, let me know. I have basically hidden from cookies since day one, because WWWC deals with them for me.
I don't think this is a problem for WWWC because currently there's no support for same site cookies at all 😃
But you're right - I think we need a more flexible approach. The current Response.AddCookie()
method is really a mess, so I think what's needed is a Cookie
class that we can set all the different properties on and then let the class generate the cookie rather than passing 10 parameters...
Easier to test for end users as well as you could check this out from the command window.
Not going to happen right away though - that's going to take a bit more effort. +++ Rick ---
Ok so maybe not that complicated 😃
Added the following via a new wwCookie
class.
loCookie = CREATEOBJECT("wwCookie")
loCookie.CookieName = "testvalue"
loCookie.Value = "NewValue"
loCookie.Expires = DATE() + 10
loCookie.SameSite = "None"
loCookie.Secure = .T.
loCookie.HttpOnly = .T.
? loCookie.ToString()
Response.AddCookie(loCookie)
The cookie class from the above generates:
testvalue=NewValue; path=/; SameSite=None; HttpOnly; Secure; Expires=Sun, 10 Nov 2019 10:00:00 GMT
This should allow a lot more control over the cookie.
+++ Rick ---