tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rémy Maucherat <r...@apache.org>
Subject Re: SameSite cookies
Date Fri, 08 Nov 2019 15:16:55 GMT
On Fri, Nov 8, 2019 at 4:04 PM Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I'm looking at using "samesite" cookies within my application. It
> looks as simple as setting the "sameSite" attribute appropriately on
> the CookieProcessor for the <Context>, which isn't there in a default
> configuration. So you just have to add it:
>
> <Context [...]>
>
>    <CookieProcessor sameSiteCookies="lax" />
>
> </Context>
>
> Cool, now my JSESSIONID cookies are coming back with the SameSite=Lax
> parameter.
>
> But it also applies to all the other cookies my application creates.
> It looks like there is no way to set/reset this parameter on an
> individual-cookie basis. That would require a change to the Servlet
> API, right?
>
> I'm okay with SameSite being applied to ALL my cookies, but maybe not
> everybody is. Are there any workarounds for this?
>

The Servlet API has no remove cookie API. If you use a Valve, you can
remove cookies using Response.getCookies and then remove from the list.
But this is not really the problem here since the same site thing is added
when the cookie header is generated. You can extend the CookieGenerator to
add more flexibility for your use case maybe ?

Rémy

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message