I just found this article by Mozilla: Changes to SameSite Cookie Behavior – A Call to Action for Web Developers and wonder if there is action needed in Plone? Any opinions?
Last/latest Chrome version(s) will report such issues on the console (and I think there is a dedicated tab in the dev tools of Chrome). I would not find any issue with two sites using cookies heavily.
I saw a warning these days while working in the ZMI, plain Zope, though.
Had no chance to dig deeper, yet.
TIL that you can register a utility to tweak the cookie parameters, e.g.:
<configure xmlns="http://namespaces.zope.org/zope">
<utility factory=".cookie.CustomCookieParamPolicy" />
</configure>
from ZPublisher.cookie import convertCookieParameter
from ZPublisher.cookie import DefaultCookieParamPolicy
class CustomCookieParamPolicy(DefaultCookieParamPolicy):
@staticmethod
def parameters(name, attrs):
"""Adds the SameSite cookie attribute to the parameters."""
for item in super(CustomCookieParamPolicy, CustomCookieParamPolicy).parameters(
name, attrs
):
yield item
if "SameSite" not in attrs:
yield convertCookieParameter("SameSite", "Lax")
1 Like
I think you need to iterate over the result of the super call and yield them as well or the parameters from plone.session will be dropped.
1 Like
Thanks, I updated the code 
Thanks for sharing. I did not know about that one either.
1 Like
FTR, SameSite will be set to “Lax” in plone.session via this PR: Set cookie attribute SameSite by reinhardt · Pull Request #30 · plone/plone.session · GitHub
This is included in the just released Plone 6.0.0b2. Full announcement to follow later.
And we will have it in Products.Session as well
... and Products.PluggableAuthService for the cookie auth helper (see Set the Cookie Auth Helper cookies with ``SameSite`` set to ``Strict`` by dataflake · Pull Request #114 · zopefoundation/Products.PluggableAuthService · GitHub) and DocumentTemplate for the dtml-tree tag (see Set `tree-s` cookie for `dtml-tree` with `SameSite=Lax` by dataflake · Pull Request #67 · zopefoundation/DocumentTemplate · GitHub)
2 Likes
How can I set the SameSite cookie flag? I have a Plone 6.0.7 site and the field for this is not available. I tried adding a new property with id cookiesamesite set to string and value "Strict". But I still see "Lax" for the __ac cookie.
Update1:
Found the settings at the properties tab of acl_users/credentials_cookie_auth but it does not work
Please file an issue with details.
Thank you for your reply.
I have looked into this some more. It is not a bug. The default samesite value in plone.session was hard coded (in version 4.0.4) and it is not available in acl_users/session properties tab to be customized.
Nginx can add cookie options via proxy_cookie_path and proxy_cookie_flags (version 1.19.3). However, it does not seem to allow rewriting already set options.
My temporary fix is to change the hard coded setting.
In this case file a feature request (enhancement) 
At least this way it is documented in some way.