-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie security attributes are going to mandated by Google Chrome #4247
Comments
For Session Cookies, we need to support a configuration for the
|
Work is being done also on the servlet-api jakartaee/servlet#175 |
Allows sameSite cookie settings to be configured in SessionCookieConfig comments Signed-off-by: Greg Wilkins <gregw@webtide.com>
Use non versioned cookie Signed-off-by: Greg Wilkins <gregw@webtide.com>
Added test and fixed getCommentWithAttributes Signed-off-by: Greg Wilkins <gregw@webtide.com>
Opened PR #4271 |
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
While it may be best practise to always use Secure cookies when SameSite is None, there is nothing in the RFC that mandates it and thus I don't believe we should prevent such a configuration. If browsers enforce this, then users will find out soon enough... and if browsers change, then we are not required to do a new release to match. Signed-off-by: Greg Wilkins <gregw@webtide.com>
For cookie comments with multiple SameSite attributes, the most strict value is used. So `Strict` has precedence over `Lax` which has precedence over `None`. Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #4247 SameSite Session Cookie Allows sameSite cookie settings to be configured in SessionCookieConfig comments Signed-off-by: Greg Wilkins <gregw@webtide.com> * Issue #4247 SameSite Session Cookies Use non versioned cookie Signed-off-by: Greg Wilkins <gregw@webtide.com> * Issue #4247 SameSite Session Cookies Added test and fixed getCommentWithAttributes Signed-off-by: Greg Wilkins <gregw@webtide.com> * Issue #4247 - Updating unit tests for HttpCookie Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com> * Issue #4247 SameSite Session Cookie While it may be best practise to always use Secure cookies when SameSite is None, there is nothing in the RFC that mandates it and thus I don't believe we should prevent such a configuration. If browsers enforce this, then users will find out soon enough... and if browsers change, then we are not required to do a new release to match. Signed-off-by: Greg Wilkins <gregw@webtide.com> * Issue #4247 SameSite Session Cookie For cookie comments with multiple SameSite attributes, the most strict value is used. So `Strict` has precedence over `Lax` which has precedence over `None`. Signed-off-by: Greg Wilkins <gregw@webtide.com>
Note that to use sameSite cookies for the session cookie, you can activate using web.xml (and STRICT/LAX/NONE in the comment): <session-config>
<cookie-config>
<comment>__SAME_SITE_STRICT__</comment>
</cookie-config>
</session-config> |
I think we need to do more on this issue. Considering that Chrome will soon ignore cookies without Same-Site, then it is not sufficient just to allow applications to specify Same-Site if they wish. We need the ability to add the attribute to cookies created by existing code - ie the container needs to be able to set a default other than null |
See also jakartaee/servlet#271 |
Signed-off-by: Jan Bartel <janb@webtide.com>
Signed-off-by: Jan Bartel <janb@webtide.com>
The samesite attribute can now be set via a context default value. Thus, the samesite attribute will be present if it is either set explicitly, or there is a default value set for the context. According to the documentation links provided on this issue, chrome will use a default value of LAX if no samesite value is present in a cookie. |
See https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
Also the feedback at #3040 (comment)
We need to have a solution for the following:
The text was updated successfully, but these errors were encountered: