Cookie.DiscardingCookie is not setting sameSite value

[barathguna]

Issue

When Session is cleared using withNewSession or data map is empty in Session then the play_framework code applies DiscardingCookie which reset the PLAY_SESSION.
But DiscardingCookie is not using sameSite settings. So the set-cookie is ignored by browser.

Play Version

2.7.4

API

DiscardingCookie()

Operating System

Any

JDK

Any

Library Dependencies

NA

Expected Behavior

1. DiscardingCookie should use sameSite settings
2. This is applicable only when Session.isEmpty is true

Actual Behavior

1. sameSite settings is not applied when Session data map is empty

Reproducible Test Case

def clearSession: Action[AnyContent] = Action.async { _ =>
  Future.successful(Ok.withNewSession)
}

[mkurz]

But DiscardingCookie is not using sameSite settings. So the set-cookie is ignored by browser.

You are correct that DiscardingCookie does not set the SameSite flag, however the set-cookie works fine in latest Chrome and Firefox anyway. To unset a cookie, the SameSite flag does not matter.. I can not see any issues here. Which browser are you using? Maybe you got confused in the browser dev tools, Chrome still shows the cookie after the page, which comes with the response that un-sets the cookie, got loaded. Only after you navigate away from that page Chrome updates and shows that the cookie is gone. Firefox is more clear here, it already doesn't show the cookie anymore as soon as the unset cookie response arrives.

[wadouk]

The unwanted behavior that is you are still login because of missing the SameSite flag, the modification of the cookie is refused is still served by chrome

Any workaround ?

[mkurz]

I am adding this issue to the 2.8.4 milestone, maybe I find time to look into it.

[mkurz]

I am not sure why but there was a comment from @wadouk which got deleted (by @wadouk? Or was there a problem with GitHub?)

From my email inbox:

This missing feature exists only in cross domain, so we need to override the domain part for an other closed use case

Our workaround

class XDomainCookieFilter(implicit val mat: Materializer) extends Filter {
	override def apply(nextFilter: (RequestHeader) => Future[Result])(rh: RequestHeader): Future[Result] = {
		val h = rh.host.split("\\.").toList
		val domain = if(h.size < 2) rh.host else s".${h.init.last}.${h.last}"

		val sessionCookie = rh.attrs.get(RequestAttrKey.Cookies).toList.flatMap { _.value.map { c => c.copy(domain = Some(domain)) } }

		nextFilter(rh).map { _.withCookies(sessionCookie: _*).withNewSession }
	}
}

[mkurz]

A possible fix is here: #10693

[wadouk]

Don't remember ...
Don't find in the code. Maybe an architecture workaround that set useless this : handling multiple domains in the same app.