From users-return-268715-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Fri Nov 8 15:41:15 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id D30A2180638 for ; Fri, 8 Nov 2019 16:41:14 +0100 (CET) Received: (qmail 37898 invoked by uid 500); 8 Nov 2019 15:41:10 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 37887 invoked by uid 99); 8 Nov 2019 15:41:10 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Nov 2019 15:41:10 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id DDA63180F9C for ; Fri, 8 Nov 2019 15:41:09 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.001 X-Spam-Level: X-Spam-Status: No, score=0.001 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-he-de.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id aXaj7xFpxDha for ; Fri, 8 Nov 2019 15:41:08 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::d2c; helo=mail-io1-xd2c.google.com; envelope-from=manmedia@gmail.com; receiver= Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id B062D7DDBD for ; Fri, 8 Nov 2019 15:41:07 +0000 (UTC) Received: by mail-io1-xd2c.google.com with SMTP id q83so6838982iod.1 for ; Fri, 08 Nov 2019 07:41:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=o+LxfqKICC6Mktalz2F4abEDqZ9t959iaIcjQ4sA78o=; b=tsmmJaAC38M8G/SSJ2xG81grBdO13159joVgKLmFDjPDYAmYH1CxPxLDI9XgL5XIdK ufYGUavxzwJocucv0Zlg6TNzuvJ5qlr9zSdvK2HeG34HHOnphhfSF7hQrFKg8qwRLXjK VUKk/t2+isjuHtSw33tZ+5vWRxYSQqtadHJQcIn5rFgYWJ0IhUuIHZPHD6hDb4LxRZ7H PYkA742Pa4Ib1lEHGTHtYMo0W2iv62kE9xFYy8nRCzAXeyze5k2snwQZCh3SOStGcflf OHbpxc7aBKudmDuQZXC/QZD5GFr3EMihfLFUfoLnSfmnCsbMyk0ALb+rSVAHABrqNShA +n9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=o+LxfqKICC6Mktalz2F4abEDqZ9t959iaIcjQ4sA78o=; b=cSR4GLa7ztIR1d576zQ9jFUZ1y1jlTbg+U4jeZjHIQKGcN0AHReS4LzhsplUzLsvWP 39HpljT9pSQxOLC/2kYQsOPUbb1Kh0Fpn14e/9R8VlWPvIxK9tWO6uda0UpMJCTjMtMi 8qjmuv2kD3DImjaL7+rlP7Gfx2cgJEa6XzNSaVyWGHTu4aENIdYR1C5m1YTnDIbDGMzz ilr0devWpuzQUJa/jP0lLbp3mREJDNetDwWoacM4UUXVIOJIOF8koN1ogBs+6MJcw2A0 9fO12LsL/23tz88B7ggwtjgsNfkZWeAH7MCvl3T752qJTXImg6sOcac054JniGV5BC2f bokg== X-Gm-Message-State: APjAAAXy/ohmm4fzKjJQlJa1PPl/kaU+3cPBxlcmnXTOvlqUKqKab2WM 1/utyHea+LE9xqZT94n+AfPENAHMiDezy4yO2nxdUEYj/hw= X-Google-Smtp-Source: APXvYqzcUfzO3+c0AqZjl30Tpz2reKXtufC0g6A6K/UkMmF52djHcBIfVsZW4pMa6eTJBmkF0ChwpM1+KaGXZaSJrE4= X-Received: by 2002:a5d:804e:: with SMTP id b14mr11035780ior.77.1573227666051; Fri, 08 Nov 2019 07:41:06 -0800 (PST) MIME-Version: 1.0 References: <57f22385-0d93-e543-6429-5ee1370fc081@christopherschultz.net> In-Reply-To: <57f22385-0d93-e543-6429-5ee1370fc081@christopherschultz.net> From: "M. Manna" Date: Fri, 8 Nov 2019 15:40:55 +0000 Message-ID: Subject: Re: SameSite cookies To: Tomcat Users List Content-Type: multipart/alternative; boundary="0000000000002f9d1e0596d79cac" --0000000000002f9d1e0596d79cac Content-Type: text/plain; charset="UTF-8" Hey Chris, Interesting question. samesite attribute is also to protect cookies from possible cross-site attacks. Even if you have super domain cookies, using strict/lax shouldn't make any difference for you, or does it? Thanks, On Fri, 8 Nov 2019 at 15:04, Christopher Schultz < chris@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > All, > > I'm looking at using "samesite" cookies within my application. It > looks as simple as setting the "sameSite" attribute appropriately on > the CookieProcessor for the , which isn't there in a default > configuration. So you just have to add it: > > > > > > > > Cool, now my JSESSIONID cookies are coming back with the SameSite=Lax > parameter. > > But it also applies to all the other cookies my application creates. > It looks like there is no way to set/reset this parameter on an > individual-cookie basis. That would require a change to the Servlet > API, right? > > I'm okay with SameSite being applied to ALL my cookies, but maybe not > everybody is. Are there any workarounds for this? > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3Fg/kACgkQHPApP6U8 > pFjfYg/+LSQ1WHvr/Ds7yskd3C7AFF5jBZaNPO4+I3M+5urpQqvy0Gk2use136rA > rEoct2iTauj2PY9oIplMUqFuaeiOiO5e0VE5//jp7FhnBe4yRxI0mUGzkvX/d/3j > e37Hm257iiteJ7q19b0uCTd867ZD2dyxupZYHaNQpeviiV+kyGwsv9KupHeIDpyk > E2AvZ/lIsRQ6tJ0jkNWiHBlpNgXVhIdabJ9WJHFbaqQ4oHPhcKZaMvthoDFnUKGS > JpyZjmP9TbNjIWE2I2zhwkKC4lTsiHkpeyccR/UC1V4SQs63rUxpGRCGjQ/Jk4p9 > o6nCfI9zJuH3nsAV/sGasXuoPwzDpszsZT8Q8feun9jmfLz6aHynDR2b65Xq1dwc > OjPX/5QSk6TrlgXQ0jnqlfIhWp1A9e8OF2HUEKW1XgmNFu5CWlsUSYdHlsMBNEF2 > gaciDa1IvYDnfmawJPgXxSUu6csBboiqRsr4RvCcjCSm4mERkcIm8UsYUHJG+c7Z > IhWc3pszJ5e/IV/w1iVZK34JL+qZcTImR9gThViNJnECW7Y7E5xbYBTOqxkjUUFR > 6AUvtaW9vMZe1ArsZKKWdpb1f/DjK70KeQsyVcK8zhYbQb8uSI818vo6LV7andpU > bfifGiSSWuT1ZHdwMOaCrIf++ew1xc45yPb4qsZqTQ95jkuHhng= > =QbXx > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --0000000000002f9d1e0596d79cac--