How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
DaveSmash
Posts: 9
Joined: Tue Mar 06, 2018 1:44 am

How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)

Postby DaveSmash » Tue Aug 18, 2020 8:26 pm

I use an IFrame to display the zimbra webmail portal within another web application. Recently, this stopped working in new versions of Google Chrome, which now requires cross-origin cookies to have the Secure and SameSite=None attributes set. In the webmail, users are getting an error saying that cookies are required for login, and on the developer console, I see the following error:

A cookie associated with a cross-site resource at http://xxxxxxx.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.


It looks like this can be done in Nginx configuration by using proxy_cookie_path, but in /opt/zimbra/conf/nginx I see a ton of configuration files in the directories there, and I am not sure which one(s) I need to edit, or if I am looking in the wrong place altogether. Some links that I am reading say to look for ssl.conf or default.conf, but Zimbra doesn't seem to use either of these files. Can anyone point me in the right direction? I am using Ubuntu 18.04 and Zimbra 8.8.6_GA_1906 OSE. Thanks in advance for any help!


User avatar
DualBoot
Elite member
Elite member
Posts: 1308
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)

Postby DualBoot » Wed Aug 19, 2020 12:45 pm

Hello,

You need to use at Zimbra Proxy level the following attribute : zimbraReverseProxyResponseHeaders

Regards,
DaveSmash
Posts: 9
Joined: Tue Mar 06, 2018 1:44 am

Re: How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)

Postby DaveSmash » Wed Aug 19, 2020 7:30 pm

Thank you, DualBoot.

EDIT: This appeared to work, but it actually added a second Set-Cookie header without overwriting or removing the first one, so the issue is still ongoing. The following step added the header:

Code: Select all

zmprov mcf +zimbraReverseProxyResponseHeaders "Set-Cookie: \"ZM_Test=true; Secure; SameSite=None\""


This generates a second header, but it seems like it's ignored because the first cookie is still being passed. Furthermore, upon login, a second cookie is added, which isn't accounted for in this approach.

It appears that the cookies are being generated in login.jsp - first the ZM_TEST cookie to see whether the browser accepts cookies, and then when the user actually logs in, there is an authentication cookie:

Code: Select all

Cookie testCookie = new Cookie("ZM_TEST", "true");
testCookie.setSecure(com.zimbra.cs.taglib.ZJspSession.secureAuthTokenCookie(request));
response.addCookie(testCookie);


So perhaps I will need to modify this .jsp file, although I would prefer a configuration option so that I don't need to worry about updates overwriting my modifications.

Any other thoughts or ideas would be appreciated!
User avatar
DualBoot
Elite member
Elite member
Posts: 1308
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)

Postby DualBoot » Thu Aug 20, 2020 2:15 pm

seems to be the good receipe :

Code: Select all

zmprov md your_domain.tld +zimbraReverseProxyResponseHeaders "Set-Cookie: \"ZM_TEST=true; HttpOnly; Secure; SameSite=Strict\""
zmprov md your_domain.tld +zimbraReverseProxyResponseHeaders "Set-Cookie: \"ZM_LOGIN_CSRF=true; HttpOnly; Secure; SameSite=Strict\""


I usually work for this at domain level so it is important to set up a zimbraVirtualHostname to your domain which need to be resolvable by your Zimbra itself.
Now you can get at least grade B here : https://observatory.mozilla.org

Regards,
User avatar
DualBoot
Elite member
Elite member
Posts: 1308
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)

Postby DualBoot » Thu Aug 20, 2020 6:46 pm

well after testing with an empty browser cache, it seems I was completely wrong. My command disable completely the authentication process :?
It seems it is impossible to modify the cookie settings.
Sorry :(

Digging deeper, related to Nginx documentation, if you want to manipulate Cookie Nginx need cookie flag module :
https://docs.nginx.com/nginx/admin-guid ... okie-flag/
And Zimbra Nginx is not provided with this module according to the following command :

Code: Select all

imbra@srv-zproxy01:~$ nginx -V
nginx version: nginx/1.7.1
TLS SNI support enabled
configure arguments: --prefix=/opt/zimbra/common --with-cc-opt='-g -I/opt/zimbra/common/include' --with-ld-opt='-Wl,-rpath,/opt/zimbra/common/lib -L/opt/zimbra/common/lib' --with-debug --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-pcre --with-http_upstream_zmauth_module --with-http_zm_sso_module --with-http_spdy_module --with-mail --with-mail-sasl --with-mail_ssl_module --error-log-path=/opt/zimbra/log/nginx.log --http-log-path=/opt/zimbra/log/nginx.access.log --http-client-body-temp-path=/opt/zimbra/data/tmp/nginx/client --http-proxy-temp-path=/opt/zimbra/data/tmp/nginx/proxy --http-fastcgi-temp-path=/opt/zimbra/data/tmp/nginx/fastcgi --without-http_scgi_module --without-http_uwsgi_module --add-module=modules/nviennot-nginx-tcp-keepalive
zimbra@srv-zproxy01:~$


Regards,
DaveSmash
Posts: 9
Joined: Tue Mar 06, 2018 1:44 am

Re: How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)

Postby DaveSmash » Thu Aug 20, 2020 10:25 pm

@DualBoot - thank you for trying. In addition to the module you have mentioned, I have seen references to using proxy_cookie_path, but I have spent a few hours going down that path and it does not seem to be working either. So in /opt/zimbra/conf/nginx/templates, I tried editing nginx.conf.web.https.default.template, finding the section for location = /, and then below proxy_pass, I tried to add

proxy_cookie_path / "/;SameSite=None";

Then restarted the proxy with zmproxyctl restart. That doesn't cause any errors, but doesn't seem to work either. The only other suggestion that I have seen was to add something like

more_set_headers 'Set-Cookie: $sent_http_set_cookie;SameSite=None';

But that one does prevent the proxy from starting because more_set_headers is not recognized (which implies that proxy_cookie_path IS recognized, because it doesn't trigger the same error.)

Oh well, I am giving up. Perhaps I can work some DNS magic so that the Zimbra server and the web application share the same domain. Thanks for your help!

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 24 guests