Can't set SameSite attribute on a cookie

Hi guys,

I’m using Kong Gateway, and in one of my lua plugins I’m setting a cookie and need it to have SameSite attribute set to None (SameSite cookies - HTTP | MDN).
The latest version of lua-resty-cookie published to luarocks and specified by Kong’s rockspec is from 5 years old, and does not support SameSite attribute at all.
Is there a way of requiring the latest version of this rock (i.e. current commit)?
What is the recommended way of creating cookies with this attribute?


Hi. I’d seen this a month ago, but had to work through my org’s legal department to be sure I could share this code snippet. I’ve gotten approval, so I can share what we did to work around this problem.

Anyhow, the trick with handling the SameSite=None cookie attribute is that older versions of the different popular browsers in use don’t support that attribute, leading to errors if the attribute is returned on a cookie. Chrome team provided some guidance on how to handle different versions of browsers here on, so if you combine their guidance with a basic cookie library you get something like this pair of modules. If your supported set of browser versions is larger or smaller than ours you may need or want to tweak the checks in should_send_samesite_none module, and if you need to apply SameSite=None more conditionally you may need to add another table argument to control that.

Hope that helps.

© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ