Implementation of SameSite cookie attribute #165
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduction
Hi folks, this pull request is an attemp to implement the SameSite cookie attribute according to https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03 .
The main objective is to reduce the CSRF vulnerability.
Some articles :
https://web.dev/samesite-cookies-explained
https://www.owasp.org/index.php/SameSite
As this my first real pull request I'm listening to you :-)
Implementation:
This implementation is on two level:
Implementation details:
Classes patched based on what was needed to add HttpOnly (thanks to Mark Thomas comment http://tomcat.10.x6.nabble.com/Support-SameSite-cookie-attribute-in-Tomcat-td5075308.html that helped to identify which classes to edit).
Design :
Name of the cookie attribute : SameSiteEnforcement (with getSameSite/setSameSite methods)
No boolean/method like isSameSite:
If not null, the “SameSite” attribute with only allow the following valid value : None, Lax, Strict
I don’t see the need for a isSameSite because we need to get the value which is not a boolean (not the case with httpOnly attribute).
Choice open for discussion. FYI Undertow has isSame and (get|set)SameSiteMode : undertow-io/undertow#499
To set the SameSiteEnforcement for session cookie, set it on the Context Container like httpOnly before it was true by default or before it was part of Java EE standard.
Not sure about ApplicationSessionCookieConfig.java modification : do the ApplicationSessionCookieConfig may be have a samesitesite ?
Next ?
If you’re ok with the idea, I can go further :
Add/Polish Javadocs
Polish context.xml documentation
Add tests
...
Thansk !