tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: SameSite cookies
Date Fri, 08 Nov 2019 17:21:36 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

M,

On 11/8/19 10:40, M. Manna wrote:
> Interesting question.
> 
> samesite attribute is also to protect cookies from possible
> cross-site attacks. Even if you have super domain cookies, using
> strict/lax shouldn't make any difference for you, or does it?

I was just thinking that it's obvious that Tomcat would handle the
JSESSIONID cookie with respect to the SameSite policy. But the
CookieProcessor affects *all* cookies for the whole application, not
just those created for session-tracking. Perhaps you want different
policies for different (types of) cookies.

I haven't really thought of any specific use-cases, honestly.

Mark's workaround of directly-generating the Set-Cookie response
header is obviously the answer if you want different policies for
different cookies. That just may require applications to be re-written
if the administrator wants to enable e.g. SameSite=Strict for the
JSESSIONID cookie, because there is no way to say "only apply this
policy to JSESSIONID cookies" or anything like that.

- -chris

> On Fri, 8 Nov 2019 at 15:04, Christopher Schultz < 
> chris@christopherschultz.net> wrote:
> 
> All,
> 
> I'm looking at using "samesite" cookies within my application. It 
> looks as simple as setting the "sameSite" attribute appropriately
> on the CookieProcessor for the <Context>, which isn't there in a
> default configuration. So you just have to add it:
> 
> <Context [...]>
> 
> <CookieProcessor sameSiteCookies="lax" />
> 
> </Context>
> 
> Cool, now my JSESSIONID cookies are coming back with the
> SameSite=Lax parameter.
> 
> But it also applies to all the other cookies my application
> creates. It looks like there is no way to set/reset this parameter
> on an individual-cookie basis. That would require a change to the
> Servlet API, right?
> 
> I'm okay with SameSite being applied to ALL my cookies, but maybe
> not everybody is. Are there any workarounds for this?
> 
> -chris
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3FpCAACgkQHPApP6U8
pFjK7g/8COMS1JKF/X9eF9VP/ywSZV3cWJaCz5gMCzPcZC4TL+BVZIv21YdhpnjS
49rFUHz40fgq5RdRpnVLcVN0rqKYRtHHwrrmcndWqufIpiLYVC6kU8aUll/PO3Kc
pPfF2bseooz5HYoHQpYqWWYUfXGNS+wNSpjAmx9qd5zJKhc9YrT3yanTk1s8yF0i
jd0kguM0iN9G9MpZWctG0H7q+94xOxdluzbqvAemoN/7FhmhDHouMkRIZMfd4eRf
TfziHgQ1llr1kNUaMg6mS1f6eqWXHFVZFTbSJukpY2aKHQDbhdwN+l+zYI3Irb9H
Y0y3DRSUa1qZv5DNwFK8yGrM9A/Cj2dinnnL9BuOq4GmSw1JwDE7TBpz+Be7oE4d
CV/cj0raV2W9/Xtul7gVgJSKwkfsYsOwjcbbbmeLNcuNHYx6HE+OKhSIMjP+c3my
UyE9S6ZBa0TqI7Vd0IXXEGyRhwdtFQnNKAn7Ui69gn9zm0CbKNXk53zDImd42+At
8jLBicPyryny4Z07qHXm83O3TjjgY4JVJaSOC04sKdReIi3kcio5Co4sRTPfIXvZ
zbDCuMJq840ObS9WiIrZVhORF0Nd6M4XdfsA5+n+7/mRIwRGMI3v19ariKzT1GmD
XhGPxyGtDxydyIT3NGwC/SdzbMbdmCdgcNFTwkld5wohpQPMAIc=
=Lfm8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message