rack-session icon indicating copy to clipboard operation
rack-session copied to clipboard

Published 20 hours ago verified publisher icon rack

Need to be able to set the partitioned flag on the cookie

Open jrmcgarvey opened this issue 11 months ago • 6 comments

We use the session cookie to maintain state between a front end and the back end running Rails. The front end and back end are typically running on different hosts. The problem this introduces is that this cookie is a cross site cookie, and browsers are eliminating support for these. The browser vendors are providing a replacement. Cross site cookies will be allowed, so long as they are partitioned. A partitioned cookie is only active for the top level site for which it was originally set. To enable this, one has to be able to set the partitioned flag. See https://developers.google.com/privacy-sandbox/3pcd/chips . This doesn't work for session cookies today, at least in the version of Rails (7.0.4.2) I am running.

jrmcgarvey avatar Mar 07 '24 16:03 jrmcgarvey

Nevermind. It was fixed in Rack here: commit

jrmcgarvey avatar Mar 08 '24 02:03 jrmcgarvey

https://github.com/rack/rack/commit/958ed518cda851546c4d26ff9fd4db6255bd4021

jrmcgarvey avatar Mar 08 '24 02:03 jrmcgarvey

@jrmcgarvey my original comment was not to close this but I have untangled the spaghetti and think I can see how I can pass it. I will give it a go.

It might be worth leaving it open to update the documentation.

womblep avatar Mar 08 '24 05:03 womblep

@womblep I didn't think I could get the current version of Rails working with the latest Rack, so I did a monkeypatch. Currently Rails and Rack::Session call Rack::Response::Helpers.set_cookie, and that calls ::Rack::Utils.add_cookie_to_header. In the latest Rack, Rack::Response::Helpers.set_cookie calls Rack::Utils.set_cookie_header, so that is the method I fixed.

The monkeypatch was clumsy. It seems like Module.prepend isn't honored when the function is called via ::Rack::Response::Utils.add_cookie_to_header, that is, the reference to the global context, so I had to do a Module.prepend for Rack::Response as well as the one for add_cookie_to_header. Is that the only way to do it?

I can reopen the issue if needed. I don't know how this affects the documentation.

jrmcgarvey avatar Mar 08 '24 15:03 jrmcgarvey

I am using it in Sinatra not Rails so not sure I can help.

The documentation for ‎Rack::Session::Abstract::Persisted has all the cookie parameters listed as well as in the DEFAULT_OPTIONS. Partitioned probably should be included so it is clear in future. However the merge you list above hasn't made it to a gem release yet, I think they are waiting to merge it into Rack 3.1. I tested to the point where it hit set_cookie_header and partitioned was passed so it should all work once they release it.

If you want to reopen this, I can do a documentation update PR which can sit there until rack 3.1 is ready

womblep avatar Mar 09 '24 03:03 womblep

Ok, reopening for documentation purposes.

jrmcgarvey avatar Mar 09 '24 23:03 jrmcgarvey