tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: SameSite attribute handling
Date Mon, 06 Jul 2020 17:29:10 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Abirami,

On 7/6/20 12:16, S Abirami wrote:
> I have used setHeader, addCookie for that also  it is getting
> twice

Of course it is, if Tomcat is automatically adding a Cookie to the
response for you.

> Only after, disabling cookie false in context.xml  setHeader for
> cookie is working.

What exact version of Tomcat are you using?

What is the problem you are trying to solve?

If you are setting sameSiteCookies to something other than "unset",
then it will affect all cookies for which Tomcat generates a
"Set-Cookie" header.

> I tried option also
??

- From your original post:

> Context changes reflecting issue in tenable vulnerable.

I'm not sure I understand what you are saying, here. Can you explain
in a different way?

- -chris

> -----Original Message----- From: Christopher Schultz
> <chris@christopherschultz.net> Sent: Thursday, July 2, 2020 11:07
> PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re:
> SameSite attribute handling
>
> Abirami,
>
> On 7/1/20 03:06, S Abirami wrote:
>> We can add the samesite attribute in set-cookie header through
>> context.xml entry in tomcat. Is there any other way, can we add
>> samesite attribute in response of set-cookie header.
> Not for Tomcat-generated cookies, and not for cookies added to the
> response like this:
>
> response.addCookie(myCookie);
>
> This is because the Servlet API hasn't yet caught up with
> state-of-the-art.
>
> You can, however, craft your own Set-Cookie response header like
> this:
>
> response.addHeader("Set-Cookie", "CookieName=value;
> SameSite=Strict");
>
> Remember that there are rules about the composition of the cookie's
> name, value, etc. that Tomcat enforces for you that you will have
> to handel yourself.
>
>> I tried with filter by using setHeader but it is sending two
>> set-Cookie header.
>
> Correct: you will have to use *either* setCookie() or setHeader().
>
> -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8DX2YACgkQHPApP6U8
pFgcSxAArdXTwk0pPdSEjSX141D2mDyD1kHKrZdYDjx/xF/NOphvIQCE2aa2baDG
38hmlmwL8x4CaNs0DJa3Wbnq2MDnnzUlZAbxHlLpaLuFedJgkuKLMSz9ZOZpqD6G
1yDw1rTF2ipxJ5lD9/2gzC9Sx8PZumieKNJhYIhLgT+m8jMg6z6zABsSJ7rkIydg
ypUwB6EVFsWnKTmC1UwCRYukjZLE4OhMem5WTnAg98aTdGSzdrU3POdwRTfmbYXa
qhVp0+Ig95pvODmxM1MEwgKlZxj4p8ToRClxkB8A3t3E4pp1TreEVemj3lHCKu8b
npT+ZqcrMa5evswUflvP+7bTzDuM1Y9Bc8K3ZDNM2hKs0KCxAHiZgI02RTZJFUXm
eQN8mmv4FrCtWGUKgAcRcZdlPmT7WNBxhZnDe8n0WGJPNEZ2Gu7sLhjAhIvwz/DU
cHVvHrq7QMSBrRFpiBW4KkjS18P6nhSN6P22ex3GVa0cpj6+EVbuIc0LFSJ8YlqI
AO/t4WGte0TeF5WaxaCKS6+ZQvWRe1S+YACXi0mstbB6TSYKnYFJRzonw2sCLF3K
ic58arJzXlqpd9qWv424vP5QhG2FChXSPXctgkk75PZWtZfcqc9qXBN0ZrRAoclv
LfSGXPG4YSWQ3uZ9t5Ia1UQ9h6btGHZGuYZGrMkvJJ5Ksj8u9Rg=
=QssU
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message