A couple of weeks back, a web server user from one of the Delphi groups I am part of was complaining about support of new missing elements in the TCookie class that comes with Delphi.
For those who are uninitiated in cookies, cookies are small bits of information that the web server send to the client’s browser to store in itself, along with the response. Once the browser receives and stores the cookie, the browser takes it upon itself to send that cookie back to the web server with every call.
Clearly, this is not as straight forward as I made it sound. The cookie it self can come with conditions from which the browser can either accept or reject the storage of the cookie itself the first time it receives it. Also, there are post storage conditions in the cookie from which the browser determines where to send the cookie automatically along with the call or not. For example, if my browser has received (and accepted) a cookie from say… www.xyz.com , it will only send the received cookie when a call from the browser goes to the same website, ie www.xyz.com. If the browser makes a call to www.abc.com, the cookie received from www.xyz.com will not be sent (obviously!).
Now, coming to the reason why this blog has been written. Of the many conditions in the cookie, one of the (new) conditions that the browsers enforce is the ‘SameSite’ condition. Right now, it doesn’t matter what that condition means or where and how it is used. We are simply concerned with setting that condition within the cookie we create in our web server to send to the client browser. If you notice the TCookie class in the Sydney’s, it looks like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
{ TCookie } TCookie = class(TCollectionItem) private FName: string; FValue: string; FPath: string; FDomain: string; FExpires: TDateTime; FSecure: Boolean; FHttpOnly: Boolean; protected function GetHeaderValue: string; public constructor Create(Collection: TCollection); override; procedure AssignTo(Dest: TPersistent); override; property Name: string read FName write FName; property Value: string read FValue write FValue; property Domain: string read FDomain write FDomain; property Path: string read FPath write FPath; property Expires: TDateTime read FExpires write FExpires; property Secure: Boolean read FSecure write FSecure; property HeaderValue: string read GetHeaderValue; property HttpOnly: Boolean read FHttpOnly write FHttpOnly; end; |
And now, look at this snip from my browser
You can see that the SameSite property doesn’t exist in the TCookie class but the browser seems to care for it. So much so, that if it didn’t get it, it wouldn’t allow the cookie to settle into itself.
The question now is, how do I get my cookie to contain that value even though the TCookie class doesn’t support it.
The answer lies in the way cookies are set in the browser the first time.
You see, when you first send a cookie using the TCookie class, your code might look something like this…
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
procedure TSomeClass.SendWebResponse; var NewCookie: TCookie; begin NewCookie := Response.Cookies.Add; // Response is TWebResponse object NewCookie.Name := 'MyCookie'; NewCookie.Value := 'SomeValueHere'; NewCookie.Domain := 'https://www.vimovyaa.com'; NewCookie.Path := '/'; NewCookie.Expires := IncMinute(Now, 60); NewCookie.Secure := True; NewCookie.HttpOnly := True; // send the web response here end; |
However, you will notice that the browser will not let you set the cookie because the SameSite property is not set in the cookie! But you can’t set the SameSite property because it doesn’t exist! Catch-22? Yup!
But, here’s the thing. The TCookie class is nothing but an information holder to construct value for a HTTP header named ‘Set-Cookie’. What that means is that even if you don’t use the TCookie class, you can simply set the cookie by adding the header ‘Set-Cookie’ to your HTTP response and it will work!
Now that we know, this, we can use the best of both worlds and use the TCookie class generate the value and then append the extra stuff required by the browser to the value like this:
|
1 2 3 4 5 6 7 8 |
... ... NewCookie :=TCookie.Create(nil); ... ... NewValue := NewCookie.HeaderValue + ';SameSite=Lax'; ... ... |
And finally, you can then manually add the HTTP header like this:
|
1 2 3 4 5 |
.. .. Context.Response.SetCustomHeader('Set-Cookie', NewValue); .. .. |
And voila! Now your browser will happily accept your cookies because it has all the information it requires.