tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: SameSite cookies
Date Fri, 08 Nov 2019 16:53:18 GMT
> All,
> 
> I'm looking at using "samesite" cookies within my application. It
> looks as simple as setting the "sameSite" attribute appropriately on
> the CookieProcessor for the <Context>, which isn't there in a default
> configuration. So you just have to add it:
> 
> <Context [...]>
> 
>    <CookieProcessor sameSiteCookies="lax" />
> 
> </Context>
> 
> Cool, now my JSESSIONID cookies are coming back with the SameSite=Lax
> parameter.
> 
> But it also applies to all the other cookies my application creates.
> It looks like there is no way to set/reset this parameter on an
> individual-cookie basis. That would require a change to the Servlet
> API, right?

That would be one way to implement it - and then the app would have to
(un)set it.

Per Cookie configuration in CookieProcessor would be another way. I
haven't thought about how that might be implemented though.

> I'm okay with SameSite being applied to ALL my cookies, but maybe not
> everybody is. Are there any workarounds for this?

Manually write your own cookie header.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message