Long-lifetime or HttpOnly cookies do not work with Web2. Another bug?

Alain_Clausen · January 14, 2023, 9:31pm

I have a server (macOS) with a valid SSL certificate. A WebApp (Web1) created with 2019R3.1 allows me to create a secure cookie with an expiration date of my choice. The same code with 2022R4.1 (Web2) did not create any cookies but just generates an error…

Client side for test: macOS Catalina Safari and Firefox

1st example with Web1:
New web project with a single button that contains the following code in Action

Dim d As New Date
d.Month=d.Month+6
Session.Cookies.Set("test","Web1",d,"","/",True,True)

The app compiled as Standalone and started with --secureport=9081 is accessible via https…myserver.com:9081
When the button is clicked, the “test” cookie is created as expected with expiration in 6 months => ok

2nd example with Web2:
New web project with a single button that contains the following code in Pressed

Var d As DateTime = DateTime.Now.AddInterval(0, 6)
Session.Cookies.Set("test2","Web2",d,"","/",True,True,WebCookieManager.SameSiteStrength.Strict)

and also tested with

Session.Cookies.Set("test2","Web2",d,"","/",True,True)
Session.Cookies.Set("test2","Web2",d,"","/",True,True,WebCookieManager.SameSiteStrength.Off)
Session.Cookies.Set("test2","Web2",d,"","/",True,True,WebCookieManager.SameSiteStrength.Lax)

and also tested with the domain name, no way to make it work.

The app compiled with secure port set to 9082 is accessible via https…myserver.com:9082
When the button is clicked, no cookie is created but the following 2 errors appear in the Firefox console:

The “cookietest” cookie does not have a proper “SameSite” attribute value. Soon, cookies with the “SameSite” attribute missing or set to an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on the availability of this cookie in such contexts, please add the attribute “SameSite=None” to it. To learn more about the “SameSite” attribute, see https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Cookie ‘test2’ was rejected because an HTTP-Only cookie already exists but the script tried to store a new one.

The only way I found to create a Cookie under Web2 is to remove the “HttpOnly” option, but in this case, Safari and its ITC rules limit the lifetime of the cookie to 7 days!

Session.Cookies.Set("test2","Web2",d,"","/",True,False,WebCookieManager.SameSiteStrength.Strict)

I couldn’t find anything in the doc or on the web. Does anyone have a solution to create a cookie with a validity greater than the limit of 7 days for Safari?
And what is this “cookietest”?

Greg_O · January 15, 2023, 1:18am

Cookietest is part of the Modernize library that runs on every browser when the app if first loaded. The error is the result of a test from which the test suite gets its results. You can ignore that.

Alain_Clausen · January 15, 2023, 6:19pm

Thanks Greg for clarifying the Cookietest warning.
Do you have any solution for my problem with HttpOnly, is this a bug or am I doing something wrong?

Even if I delete all cookies from the browser I still get the same error telling that the cookie already exists…

In the console I have the following data:
Request:
{“data”:null,“controlID”:“uH2PYP”,“eventName”:“Pressed”} “”
Response:
[{“type”:“javascript”,“source”:“document.cookie="test2=Web2; path=/; expires=Sat, 15 Jul 2023 16:55:02 GMT; secure; HttpOnly; SameSite=strict; ";”}]

Mike_D · January 16, 2023, 1:41am

I’m not sure of all the details, but I can say that my Web2 app uses cookies on a HTTPS site, with a 14 day expiration, and they seem to work fine.

Are you really trying to use HTTP with your site? That seems like one of those things where there is probably a Darth Vader meme saying you shouldn’t

Ricardo_Cruz · January 16, 2023, 8:55am

@Alain_Clausen the framework seems to be trying to set an HttpOnly cookie using JavaScript, that won’t work, it should be setting the cookie in the HTTP response.

Could you please create an Issue?

Alain_Clausen · January 16, 2023, 9:42am

Ok it’s done, Issue #71415
Thanks a lot Ricardo.

Ricardo_Cruz · January 16, 2023, 9:57am

Thank you Alain. I’ve created another internal ticket for upgrading Modernizr, to remove the other warnings you’re seeing.

Alain_Clausen · January 16, 2023, 3:12pm

I tried a lot of possibilities and my conclusion is that without HttpOnly it works eg on Firefox, but not with Safari. Safari and its ITP delete these cookies after 7 days. The only way to keep the initial lifetime is to enable HttpOnly, which currently does not work in Web 2.
Are you sure that your cookie is valid for 14 days also with Safari on recent macOS?

Alain_Clausen · January 16, 2023, 6:56pm

It looks like this bug has already been fixed by @Ricardo, amazing in just one day!
Thank you very much, really appreciate it.

Ricardo_Cruz · January 17, 2023, 10:39am

Thank you for reporting it

Mike_D · January 20, 2023, 7:26pm

That’s a good question - it’s possible it only works for 7 days, not 14, and I might not have noticed that difference.