WWW_COOKIE_SAMESITE
Platforms
Unix, Windows 17.5 and later
Abstract
Sets the SameSite attribute for LISTSERV login cookies
Example
|
z/VM: |
<not available> |
|
Unix: |
WWW_COOKIE)SAMESITE="STRICT" export WWW_COOKIE_SAMESITE |
|
Windows: |
WWW_COOKIE_SAMESITE=STRICT |
Details
New in LISTSERV 17.5, this configuration variable defines the SameSite attribute for LISTSERV login cookies, which controls whether or not a cookie is sent with cross-site requests. The possible values are Strict, Lax and None.
WWW_COOKIE_SAMESITE can be set in the web interface by going to Server Administration/Site Configuration/Web Interface, or can be set in the site.cfg (Windows) or go.user (unix) file if preferred.
The default value is Strict, which means that the cookie is only sent for same-site requests.
The other possible values are Lax and None. We strongly recommend that the default value be used.
|
|
Important: If considering whether to lower the cookie security level, we strongly recommend that the implications of setting the SameSite attribute to Lax or None are clearly understood. While it is beyond the scope of this document to delve into the intricacies of the HTTP SameSite attribute, we recommend reading the Internet Draft standard draft-ietf-httpbis-rfc6265bis-15 (in particular 5.6.7.1. "Strict" and "Lax" enforcement) or an article such as https://web.dev/articles/samesite-cookies-explained, which explains the concept of the attribute and the implications for setting it to the various values. |
Default Value
STRICT