Date:  12/03/2019 02:52:11 PM Msg ID:  005011
From:  FoxWeb Support Thread:  005000
Subject:  Re: cookies with `SameSite=None` and `Secure
Starting in early 2020, Google Chrome and other browsers are going to start preventing cross-site cookies (cookies to servers other than the one shown in the browser's location bar) from being sent out, unless these cookies specifically allow it. This is to combat a very serious security hole, which is responsible for many CSRF attacks. The following pages describe this threat:
 
https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/
https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ 
 
Browsers will continue to allow cross-site cookies to be sent, only if they were created with a SameSite attribute equal to "None" and also have a Secure attribute. Here's Chrome's relevant page, explaining this.
 
FoxWeb version 4.7 and above allows setting the SameSite attribute of cookies. This is not recommended for the session cookie, because it opens up your site to CSRF attacks, but if you need it to support existing sites, here's how to do this:
 
Cookies Created through Response.SetCookie 
For your own cookies you will need to call fwResponse.SetCookie, specifying .T. for the lCookieSecure parameter and "None" for the new cSameSite parameter. Example:
 
Response.SetCookie("language", "en-us", , , , .T., , "None")
 
Session Cookie 
The attributes of the session cookie can only be set through the registry. You will need to add the following values:
 
Registry Key:

64-bit Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Aegis Group\FoxWeb\CurrentVersion
32-bit Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Aegis Group\FoxWeb\CurrentVersion
 
Name: SessionSameSite
Type: String
Value: "None" (no quotes)
 
Name: SessionRequireSSL
Type: DWord
Value: 1 
 
FoxWeb Support Team
support@foxweb.com email
Sent by Martin Martin on 11/20/2019 01:57:04 PM:
Hi, 
 
Are you aware of the google chrome new rules:

A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`.
 
Since I use a frame do display my application on my sites, I keep seeing the warning in the my browser when I display my script page. 
I think the warning come from the session created when I hit my sites.
 
How can I solve this ?
 
Any suggestion on help page on it?
 
Martin