tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [tomcat] farnulfo opened a new pull request #165: Implementation of SameSite cookie attribute
Date Mon, 13 May 2019 17:49:43 GMT
farnulfo opened a new pull request #165:  Implementation of SameSite cookie attribute
URL: https://github.com/apache/tomcat/pull/165
 
 
   # Introduction
   Hi folks, this pull request is an attemp to implement the SameSite cookie attribute according
to https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03 .
   
   The main objective is to reduce the CSRF vulnerability.
   Some articles : 
   https://web.dev/samesite-cookies-explained
   https://www.owasp.org/index.php/SameSite
   
   As this my first real pull request I'm listening to you :-)
   
   # Implementation:
   This implementation is on two level:
   - In Cookie / CookieGenerator classes
     - Add variable and getter/setter for this attribute
     - Generate the Set-Cookie header with this attribute if needed
   - In Apache Tomcat Context and subclasses
     - Enable the use of SameSite attribute for the session cookie (JSESSIONID) which can’t
be easily done
   
   Implementation details:
   Classes patched based on what was needed to add HttpOnly (thanks to Mark Thomas comment
http://tomcat.10.x6.nabble.com/Support-SameSite-cookie-attribute-in-Tomcat-td5075308.html
that helped to identify which classes to edit).
   
   Design :
   Name of the cookie attribute : SameSiteEnforcement (with getSameSite/setSameSite methods)
   No boolean/method like isSameSite:
   If not null, the “SameSite” attribute with only allow the following valid value : None,
Lax, Strict
   I don’t see the need for a isSameSite because we need to get the value which is not a
boolean (not the case with httpOnly attribute).
   Choice open for discussion. FYI Undertow has isSame and (get|set)SameSiteMode : https://github.com/undertow-io/undertow/pull/499
   
   To set the SameSiteEnforcement for session cookie, set it on the Context Container like
httpOnly before it was true by default or before it was part of Java EE standard.
   
   Not sure about ApplicationSessionCookieConfig.java modification : do the ApplicationSessionCookieConfig
may be have a samesitesite ?
   
   # Next ?
   If you’re ok with the idea, I can go further :
   Add/Polish Javadocs
   Polish context.xml documentation
   Add tests 
   ...
   
   Thansk !

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message