tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <>
Subject [GitHub] [tomcat] farnulfo opened a new pull request #165: Implementation of SameSite cookie attribute
Date Mon, 13 May 2019 17:49:43 GMT
farnulfo opened a new pull request #165:  Implementation of SameSite cookie attribute
   # Introduction
   Hi folks, this pull request is an attemp to implement the SameSite cookie attribute according
to .
   The main objective is to reduce the CSRF vulnerability.
   Some articles :
   As this my first real pull request I'm listening to you :-)
   # Implementation:
   This implementation is on two level:
   - In Cookie / CookieGenerator classes
     - Add variable and getter/setter for this attribute
     - Generate the Set-Cookie header with this attribute if needed
   - In Apache Tomcat Context and subclasses
     - Enable the use of SameSite attribute for the session cookie (JSESSIONID) which can’t
be easily done
   Implementation details:
   Classes patched based on what was needed to add HttpOnly (thanks to Mark Thomas comment
that helped to identify which classes to edit).
   Design :
   Name of the cookie attribute : SameSiteEnforcement (with getSameSite/setSameSite methods)
   No boolean/method like isSameSite:
   If not null, the “SameSite” attribute with only allow the following valid value : None,
Lax, Strict
   I don’t see the need for a isSameSite because we need to get the value which is not a
boolean (not the case with httpOnly attribute).
   Choice open for discussion. FYI Undertow has isSame and (get|set)SameSiteMode :
   To set the SameSiteEnforcement for session cookie, set it on the Context Container like
httpOnly before it was true by default or before it was part of Java EE standard.
   Not sure about modification : do the ApplicationSessionCookieConfig
may be have a samesitesite ?
   # Next ?
   If you’re ok with the idea, I can go further :
   Add/Polish Javadocs
   Polish context.xml documentation
   Add tests 
   Thansk !

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:

With regards,
Apache Git Services

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message