When updating our applications to deal with the changes of cookies samesite = none, we encounter this problem:
In our vhost for a previous application, we have this rule that rewrites http requests to https:
RewriteRule (.*) https://oursite.com$1 (NE,L,R=301)
Unfortunately, when this rule is used and requests are rewritten, we lose all cookies from samesite = none, because the new "samesite = none" also requires "secure = true".
As I understand it, when the server receives the initial http request, it does not receive those cookies and then that request is forwarded to the https version, but there are no cookies to resend the request
This is our apache and centos information:
Server version: Apache/2.4.6 (CentOS) centos-release-7-6.1810.2.el7.centos.x86_64
Is there any way to redirect http to https that allows secure = true cookies to be sent in the https request?
tl; dr things
- We have updated all the local URLs in this application to point to https, this avoids many problems.
- The main concern would be links from sources we do not control. Being an application of almost 20 years that is connected to many other systems, there will surely be links somewhere that still point to http and are redirected by this rule.