How to set Samesite=Lax in simple way with step
Question

Hi All,

Recently I am exploring a lot of article of implement SameSite=Strict or at least Samesite=Lax attribute (if the former breaks/affects the proper functioning of the application).

I half understand what it mean, and very confusing. Anyone of you can guide me step by step how to achieve it?

At least Samesite=Lax will do.

So next round assessment scanning the result won't be showing as "NONE".

My application running in Outsystems cloud.

Appreciate if you can help me.

Thank you

samesite.png

mvp_badge
MVP

Hi Jing Tung,

Please refer to the following article with regard to Upcoming changes in cookie handling in Google Chrome and read it with care in order to understand how the OutSystems handles the SameSite attribute of the platform's generated cookies.

In short, the platform currently only allows two default values for SameSite attribute of its generated cookies via Lifetime security settings:

  • Browser Default
  • None

This means that it is currently not possible to use the values Strict or Lax for the SameSite attribute of the platform's generated cookies. However, OutSystems is considering adding additional default values in the future as is also stated in the article:

"In a future version, after the major browsers have rolled out this new cookie-handling behavior and based on the results, OutSystems will review the defaults and consider the possibility of adding "Lax" as a configurable value for the "SameSite" setting."

Last, for cookies created by use of the SetCookie action of the HTTPRequestHandler module, it is possible to set the SameSite attribute with the values None, Strict or Lax.

Hope this helped!

Regards,

Nordin

Hi Nordin ,


Thanks for your reply


Can I say that, currently Outsystems Cloud hosting generated cookies via Lifetime security , and only have 

  • Browser Default
  • None

In the Future, Outsystems "will review the defaults and consider the possibility of adding "Lax" as a configurable value for the "SameSite" setting."


Also  SetCookie action of the HTTPRequestHandler module is it mean when my application integrate to third party system or domain, then only can use SETCOOKIE?


Thank you 

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.