-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
M,
On 11/8/19 10:40, M. Manna wrote:
> Interesting question.
>
> samesite attribute is also to protect cookies from possible
> cross-site attacks. Even if you have super domain cookies, using
> strict/lax shouldn't make any difference for you, or does it?
I was just thinking that it's obvious that Tomcat would handle the
JSESSIONID cookie with respect to the SameSite policy. But the
CookieProcessor affects *all* cookies for the whole application, not
just those created for session-tracking. Perhaps you want different
policies for different (types of) cookies.
I haven't really thought of any specific use-cases, honestly.
Mark's workaround of directly-generating the Set-Cookie response
header is obviously the answer if you want different policies for
different cookies. That just may require applications to be re-written
if the administrator wants to enable e.g. SameSite=Strict for the
JSESSIONID cookie, because there is no way to say "only apply this
policy to JSESSIONID cookies" or anything like that.
- -chris
> On Fri, 8 Nov 2019 at 15:04, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
> All,
>
> I'm looking at using "samesite" cookies within my application. It
> looks as simple as setting the "sameSite" attribute appropriately
> on the CookieProcessor for the <Context>, which isn't there in a
> default configuration. So you just have to add it:
>
> <Context [...]>
>
> <CookieProcessor sameSiteCookies="lax" />
>
> </Context>
>
> Cool, now my JSESSIONID cookies are coming back with the
> SameSite=Lax parameter.
>
> But it also applies to all the other cookies my application
> creates. It looks like there is no way to set/reset this parameter
> on an individual-cookie basis. That would require a change to the
> Servlet API, right?
>
> I'm okay with SameSite being applied to ALL my cookies, but maybe
> not everybody is. Are there any workarounds for this?
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3FpCAACgkQHPApP6U8
pFjK7g/8COMS1JKF/X9eF9VP/ywSZV3cWJaCz5gMCzPcZC4TL+BVZIv21YdhpnjS
49rFUHz40fgq5RdRpnVLcVN0rqKYRtHHwrrmcndWqufIpiLYVC6kU8aUll/PO3Kc
pPfF2bseooz5HYoHQpYqWWYUfXGNS+wNSpjAmx9qd5zJKhc9YrT3yanTk1s8yF0i
jd0kguM0iN9G9MpZWctG0H7q+94xOxdluzbqvAemoN/7FhmhDHouMkRIZMfd4eRf
TfziHgQ1llr1kNUaMg6mS1f6eqWXHFVZFTbSJukpY2aKHQDbhdwN+l+zYI3Irb9H
Y0y3DRSUa1qZv5DNwFK8yGrM9A/Cj2dinnnL9BuOq4GmSw1JwDE7TBpz+Be7oE4d
CV/cj0raV2W9/Xtul7gVgJSKwkfsYsOwjcbbbmeLNcuNHYx6HE+OKhSIMjP+c3my
UyE9S6ZBa0TqI7Vd0IXXEGyRhwdtFQnNKAn7Ui69gn9zm0CbKNXk53zDImd42+At
8jLBicPyryny4Z07qHXm83O3TjjgY4JVJaSOC04sKdReIi3kcio5Co4sRTPfIXvZ
zbDCuMJq840ObS9WiIrZVhORF0Nd6M4XdfsA5+n+7/mRIwRGMI3v19ariKzT1GmD
XhGPxyGtDxydyIT3NGwC/SdzbMbdmCdgcNFTwkld5wohpQPMAIc=
=Lfm8
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|