ColdFusion SetCookie UDF (Supports “SameSite”)
I attempted to post the following response regarding a ColdFusion bug that I reported in 2018, but Adobe’s CFTracker web application wasn’t working and refused to accept my post for an undisclosed reason. **
CFCookie "samesite" support** https://tracker.adobe.com/#/view/CF-4201688
A third-party site's API recently triggered the following warning message in Chrome 78:
A cookie associated with a cross-site resource at http://jetio.streamguys.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032
I reported it to them and they fixed it within 2-3 days on their PHP platform.
As a workaround for CF2016, I'm using this modified UDF to set a CFCookie & a fallback "set-cookie" CFHeader. It's duplicates the response headers, but if CFCookie isn't used, the value isn't added to the COOKIE scope. (The 2nd set-cookie header overwrites the 1st one set by CF.) https://gist.github.com/JamoCA/bc34e27704eac277fcaf7053c54912b6
1/17/2020 Update
Adobe has indicated that this will be fixed in CF2016+, but it’s 20 days away and nothing has been made available yes. On 1/16/2020, Google published Get Ready for New SameSite=None; Secure Cookie and listed other platforms that had same-site examples.
3/24/2020 Update
Adobe has posted manual patches for this on the bug report.
(If using CF2016, download the CF2018 attachment as the instructions for CF2016 are incorrect.) If you are using ColdFusion 10 or 11, you’ll either have to use this UDF or Pete Freitag’s solution for IIS or Apache.
