How Can I Set the SameSite Cookie Attribute? (New Security Requirement for Google Chrome)

[DaveSmash]

I use an IFrame to display the zimbra webmail portal within another web application. Recently, this stopped working in new versions of Google Chrome, which now requires cross-origin cookies to have the Secure and SameSite=None attributes set. In the webmail, users are getting an error saying that cookies are required for login, and on the developer console, I see the following error:

A cookie associated with a cross-site resource at http://xxxxxxx.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

It looks like this can be done in Nginx configuration by using proxy_cookie_path, but in /opt/zimbra/conf/nginx I see a ton of configuration files in the directories there, and I am not sure which one(s) I need to edit, or if I am looking in the wrong place altogether. Some links that I am reading say to look for ssl.conf or default.conf, but Zimbra doesn't seem to use either of these files. Can anyone point me in the right direction? I am using Ubuntu 18.04 and Zimbra 8.8.6_GA_1906 OSE. Thanks in advance for any help!

[DualBoot]

Hello,

You need to use at Zimbra Proxy level the following attribute : zimbraReverseProxyResponseHeaders

Regards,

[DaveSmash]

Thank you, DualBoot.

EDIT: This appeared to work, but it actually added a second Set-Cookie header without overwriting or removing the first one, so the issue is still ongoing. The following step added the header:

Code: Select all

zmprov mcf +zimbraReverseProxyResponseHeaders "Set-Cookie: \"ZM_Test=true; Secure; SameSite=None\""

This generates a second header, but it seems like it's ignored because the first cookie is still being passed. Furthermore, upon login, a second cookie is added, which isn't accounted for in this approach.

It appears that the cookies are being generated in login.jsp - first the ZM_TEST cookie to see whether the browser accepts cookies, and then when the user actually logs in, there is an authentication cookie:

Code: Select all

Cookie testCookie = new Cookie("ZM_TEST", "true");
testCookie.setSecure(com.zimbra.cs.taglib.ZJspSession.secureAuthTokenCookie(request));
response.addCookie(testCookie);

So perhaps I will need to modify this .jsp file, although I would prefer a configuration option so that I don't need to worry about updates overwriting my modifications.

Any other thoughts or ideas would be appreciated!

[DualBoot]

seems to be the good receipe :

Code: Select all

zmprov md your_domain.tld +zimbraReverseProxyResponseHeaders "Set-Cookie: \"ZM_TEST=true; HttpOnly; Secure; SameSite=Strict\""
zmprov md your_domain.tld +zimbraReverseProxyResponseHeaders "Set-Cookie: \"ZM_LOGIN_CSRF=true; HttpOnly; Secure; SameSite=Strict\""

I usually work for this at domain level so it is important to set up a zimbraVirtualHostname to your domain which need to be resolvable by your Zimbra itself.
Now you can get at least grade B here : https://observatory.mozilla.org

Regards,

[DualBoot]

well after testing with an empty browser cache, it seems I was completely wrong. My command disable completely the authentication process
It seems it is impossible to modify the cookie settings.
Sorry

Digging deeper, related to Nginx documentation, if you want to manipulate Cookie Nginx need cookie flag module :
https://docs.nginx.com/nginx/admin-guid ... okie-flag/
And Zimbra Nginx is not provided with this module according to the following command :

Code: Select all

imbra@srv-zproxy01:~$ nginx -V
nginx version: nginx/1.7.1
TLS SNI support enabled
configure arguments: --prefix=/opt/zimbra/common --with-cc-opt='-g -I/opt/zimbra/common/include' --with-ld-opt='-Wl,-rpath,/opt/zimbra/common/lib -L/opt/zimbra/common/lib' --with-debug --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-pcre --with-http_upstream_zmauth_module --with-http_zm_sso_module --with-http_spdy_module --with-mail --with-mail-sasl --with-mail_ssl_module --error-log-path=/opt/zimbra/log/nginx.log --http-log-path=/opt/zimbra/log/nginx.access.log --http-client-body-temp-path=/opt/zimbra/data/tmp/nginx/client --http-proxy-temp-path=/opt/zimbra/data/tmp/nginx/proxy --http-fastcgi-temp-path=/opt/zimbra/data/tmp/nginx/fastcgi --without-http_scgi_module --without-http_uwsgi_module --add-module=modules/nviennot-nginx-tcp-keepalive
zimbra@srv-zproxy01:~$ 

Regards,

[DaveSmash]

@DualBoot - thank you for trying. In addition to the module you have mentioned, I have seen references to using proxy_cookie_path, but I have spent a few hours going down that path and it does not seem to be working either. So in /opt/zimbra/conf/nginx/templates, I tried editing nginx.conf.web.https.default.template, finding the section for location = /, and then below proxy_pass, I tried to add

proxy_cookie_path / "/;SameSite=None";

Then restarted the proxy with zmproxyctl restart. That doesn't cause any errors, but doesn't seem to work either. The only other suggestion that I have seen was to add something like

more_set_headers 'Set-Cookie: $sent_http_set_cookie;SameSite=None';

But that one does prevent the proxy from starting because more_set_headers is not recognized (which implies that proxy_cookie_path IS recognized, because it doesn't trigger the same error.)

Oh well, I am giving up. Perhaps I can work some DNS magic so that the Zimbra server and the web application share the same domain. Thanks for your help!

[rokoyato]

Hi,

sorry to revive this topic from the grave but did you ever found a way to set "HttpOnly; Secure; SameSite=Strict" in the cookies ?

Regards

[DaveSmash]

Hi,

sorry to revive this topic from the grave but did you ever found a way to set "HttpOnly; Secure; SameSite=Strict" in the cookies ?

Regards

Sorry, but no, I didn't. I tried once more a while later, and ran into the same issues. My solution was to move my application and my Zimbra server onto different subdomains in the same domain - that satisfied the requirement without the use of the SameSite attribute.

[rokoyato]

Hi,

sorry to revive this topic from the grave but did you ever found a way to set "HttpOnly; Secure; SameSite=Strict" in the cookies ?

Regards

Sorry, but no, I didn't. I tried once more a while later, and ran into the same issues. My solution was to move my application and my Zimbra server onto different subdomains in the same domain - that satisfied the requirement without the use of the SameSite attribute.

Thanks for your answer, I will see with the synacor support if they have an answer to this.

Regards

[rokoyato]

Hi,

sorry to revive this topic from the grave but did you ever found a way to set "HttpOnly; Secure; SameSite=Strict" in the cookies ?

Regards

Sorry, but no, I didn't. I tried once more a while later, and ran into the same issues. My solution was to move my application and my Zimbra server onto different subdomains in the same domain - that satisfied the requirement without the use of the SameSite attribute.

HI, so this is the way to go, in case you or anyone else need that in the future :

zmprov mcf +zimbraReverseProxyResponseHeaders "Set-Cookie: \"ZM_TEST=true;Secure;HttpOnly;SameSite=Strict\""

Which should give you this result in mozilla observatory :



To test :

https://observatory.mozilla.org

So far I did not managed a correct way to get prefixed cookies, still waiting for the support answer on this one