tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: SameSite cookies
Date Fri, 08 Nov 2019 17:17:39 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 11/8/19 11:53, Mark Thomas wrote:
>> All,
>> 
>> I'm looking at using "samesite" cookies within my application.
>> It looks as simple as setting the "sameSite" attribute
>> appropriately on the CookieProcessor for the <Context>, which
>> isn't there in a default configuration. So you just have to add
>> it:
>> 
>> <Context [...]>
>> 
>> <CookieProcessor sameSiteCookies="lax" />
>> 
>> </Context>
>> 
>> Cool, now my JSESSIONID cookies are coming back with the
>> SameSite=Lax parameter.
>> 
>> But it also applies to all the other cookies my application
>> creates. It looks like there is no way to set/reset this
>> parameter on an individual-cookie basis. That would require a
>> change to the Servlet API, right?
> 
> That would be one way to implement it - and then the app would have
> to (un)set it.
> 
> Per Cookie configuration in CookieProcessor would be another way.
> I haven't thought about how that might be implemented though.

It seems that there are enough cookie parameters that the servlet spec
doesn't support[1], it might not be a bad idea to propose two new
methods to be added to the Cookie class:

  public void setAttribute(String name, String value);
  public String getAttribute(String name);

Then, if e.g. SameSite isn't directly supported by the Cookie APi,
applications can still:

  Cookie cookie = new Cookie("my_cookie");
  cookie.setAttribute("SameSite", "Strict"); // or null

>> I'm okay with SameSite being applied to ALL my cookies, but maybe
>> not everybody is. Are there any workarounds for this?
> 
> Manually write your own cookie header.

Duh. Of course that will work :)

- -chris

[1] https://scotthelme.co.uk/tough-cookies/
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3FozMACgkQHPApP6U8
pFhuEBAAoGIEgFDoFfyKH85SySn/7GZEbw0EoM0lPL/09Hm9EiL4n00FBYRy/AiA
inSubQExqG+3iaNIXcBn/mQgAetCNOxXjNKeEvmcO9ljYLGAoExkqHomCSkMFEZL
AFNSei3+fYK4DHCciKKIC7n/IDbMCDxT8XM8or1rF0efvIyGa4leI9xZqew8yKjs
1/OnhsjvnLsctL/5NkBJkJF49W3Qk7Owl7tThyprqQjwnslGCXgm0gHL+/9JKERX
XSxlbsNTGgMAkx0tQU+jRPrO+nPC0FgotE8TZ7lVrpv65eMZ/hf7t7YaYlGWeaJl
EZPg8Uoigwze9vK3+C48z0ynHaBMPa/boLHfsxxgIdNGN0ouHrvFndVAzfvR9Rlk
jlmoWaAYzTqKUevosOE5sXHdlh0sHsv/DxB2DxT2v1FHiqZ2p7dyEWCzpa+BxovO
R7Ezj9l3ecVZkcmQn8UHT9nX3MZcCvjVf/EDYbiZS+TI6pq8PfMw8o5d+NO1JDIn
RtQ3mlJ7pUaqRK6+ItAGQssL9gSlUhcK/wyqXyaSCOx61eWxeKzo66YmOMi7bflV
Tz72DkSH/5Ml6AgMLiVBYA9qBtcApjMhHKYlZ+h/i2S+qKgATs8vTEfF3WZQWcV/
Eg05iDha/DpM5gcFzTewMhtNn/Hb+eR5UWHN6ogcY/YZ9qHwpx0=
=Ps3/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message