Cookie security attributes are going to mandated by Google Chrome #4247
Comments
|
For Session Cookies, we need to support a configuration for the
|
joakime
added
the
Specification
|
Work is being done also on the servlet-api jakartaee/servlet#175 |
Allows sameSite cookie settings to be configured in SessionCookieConfig comments Signed-off-by: Greg Wilkins <gregw@webtide.com>
Use non versioned cookie Signed-off-by: Greg Wilkins <gregw@webtide.com>
Added test and fixed getCommentWithAttributes Signed-off-by: Greg Wilkins <gregw@webtide.com>
|
Opened PR #4271 |
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
While it may be best practise to always use Secure cookies when SameSite is None, there is nothing in the RFC that mandates it and thus I don't believe we should prevent such a configuration. If browsers enforce this, then users will find out soon enough... and if browsers change, then we are not required to do a new release to match. Signed-off-by: Greg Wilkins <gregw@webtide.com>
For cookie comments with multiple SameSite attributes, the most strict value is used. So `Strict` has precedence over `Lax` which has precedence over `None`. Signed-off-by: Greg Wilkins <gregw@webtide.com>
* Issue #4247 SameSite Session Cookie Allows sameSite cookie settings to be configured in SessionCookieConfig comments Signed-off-by: Greg Wilkins <gregw@webtide.com> * Issue #4247 SameSite Session Cookies Use non versioned cookie Signed-off-by: Greg Wilkins <gregw@webtide.com> * Issue #4247 SameSite Session Cookies Added test and fixed getCommentWithAttributes Signed-off-by: Greg Wilkins <gregw@webtide.com> * Issue #4247 - Updating unit tests for HttpCookie Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com> * Issue #4247 SameSite Session Cookie While it may be best practise to always use Secure cookies when SameSite is None, there is nothing in the RFC that mandates it and thus I don't believe we should prevent such a configuration. If browsers enforce this, then users will find out soon enough... and if browsers change, then we are not required to do a new release to match. Signed-off-by: Greg Wilkins <gregw@webtide.com> * Issue #4247 SameSite Session Cookie For cookie comments with multiple SameSite attributes, the most strict value is used. So `Strict` has precedence over `Lax` which has precedence over `None`. Signed-off-by: Greg Wilkins <gregw@webtide.com>
|
Note that to use sameSite cookies for the session cookie, you can activate using web.xml (and STRICT/LAX/NONE in the comment): <session-config>
<cookie-config>
<comment>__SAME_SITE_STRICT__</comment>
</cookie-config>
</session-config> |
|
I think we need to do more on this issue. Considering that Chrome will soon ignore cookies without Same-Site, then it is not sufficient just to allow applications to specify Same-Site if they wish. We need the ability to add the attribute to cookies created by existing code - ie the container needs to be able to set a default other than null |
|
See also jakartaee/servlet#271 |
Signed-off-by: Jan Bartel <janb@webtide.com>
Signed-off-by: Jan Bartel <janb@webtide.com>
|
The samesite attribute can now be set via a context default value. Thus, the samesite attribute will be present if it is either set explicitly, or there is a default value set for the context. According to the documentation links provided on this issue, chrome will use a default value of LAX if no samesite value is present in a cookie. |
See https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
Also the feedback at #3040 (comment)
We need to have a solution for the following:
The text was updated successfully, but these errors were encountered: