tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: SameSite cookies
Date Fri, 08 Nov 2019 16:53:18 GMT
> All,
> I'm looking at using "samesite" cookies within my application. It
> looks as simple as setting the "sameSite" attribute appropriately on
> the CookieProcessor for the <Context>, which isn't there in a default
> configuration. So you just have to add it:
> <Context [...]>
>    <CookieProcessor sameSiteCookies="lax" />
> </Context>
> Cool, now my JSESSIONID cookies are coming back with the SameSite=Lax
> parameter.
> But it also applies to all the other cookies my application creates.
> It looks like there is no way to set/reset this parameter on an
> individual-cookie basis. That would require a change to the Servlet
> API, right?

That would be one way to implement it - and then the app would have to
(un)set it.

Per Cookie configuration in CookieProcessor would be another way. I
haven't thought about how that might be implemented though.

> I'm okay with SameSite being applied to ALL my cookies, but maybe not
> everybody is. Are there any workarounds for this?

Manually write your own cookie header.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message