Data Privacy and GDPR

Improved User’s Privacy with SameSite Cookies

Introduced in version 10.3

We cannot stress this enough — in fact I think we have mentioned it in almost every release announcement article over the last few years — security is one of our top priorities and maximum privacy settings are TYPO3’s defaults.

Now TYPO3 supports SameSite cookies to improve users’ privacy. Modern browsers such as Firefox, Chrome, Opera, Microsoft Edge and Safari include this new feature to “mitigate the risk of cross-origin information leakage”, with “some protection against cross-site request forgery attacks” according to the OWASP. Websites and web applications can set a flag with each cookie that declares if the cookie should be restricted to a first-party or same-site context. In other words, we can now define whether to share certain information (e. g. session cookie) with third-party sites if scripts or iframes are used on a site for example.

All cookies sent by TYPO3 now support the SameSite-flag. Frontend session cookies are set to “SameSite=Lax” and backend session cookies as well as Install Tool session and workspace cookies set the more restrictive “SameSite=Strict” flag.

Under a few rare circumstances (for example with OAuth2 or OpenID connect solutions), the default settings might be too strict. For these edge cases, the Install Tool offers a system configuration to adjust the SameSite cookies policies.

By the way, due to its importance and doubtless privacy improvement, the SameSite cookies feature has also been implemented in TYPO3 v8 and v9 earlier this month, so that you can apply enhanced privacy settings even in older versions of TYPO3.