Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[rest] TokenResource: Set SameSite attribute for session id cookie #4160

Merged
merged 2 commits into from
Mar 27, 2024
Merged

[rest] TokenResource: Set SameSite attribute for session id cookie #4160

merged 2 commits into from
Mar 27, 2024

Conversation

florian-h05
Copy link
Contributor

@florian-h05 florian-h05 commented Mar 25, 2024
edited
Loading

Fixes #4159.

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value.

Because our current implementation of javax.ws.rs.core.NewCookie (which is jakarta.ws.rs/jakarta.ws.rs-api/2.1.6 provided by org.apache.aries.spec/org.apache.aries.javax.jax.rs-api/1.0.4) does not allow to set the SameSite attribute, we have to workaround that limitation by setting the cookie directly through a response header.
Once our implementation is jakarta.ws.rs/jakarta.ws.rs-api/3.1.0 or newer, we can use NewCookie again.
Implementing the required changes to NewCookie on our own does not work, because the servlet also needs adustment.

@florian-h05
[rest] TokenResource: Properly set SameSite attribute for session id …
f26b6d8 
…cookie

Fixes #4159.

Signed-off-by: Florian Hotze <florianh_dev@icloud.com>
@florian-h05 florian-h05 requested a review from a team as a code owner March 25, 2024 19:22
@florian-h05 florian-h05 mentioned this pull request Mar 25, 2024
Closed
J-N-K
J-N-K requested changes Mar 27, 2024
View reviewed changes
Copy link
Member

@J-N-K J-N-K left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can just press "Sign-off and commit" if you agree. If DCO fails, I'll override it.

...ab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/TokenResource.java Outdated Show resolved Hide resolved
...ab.core.io.rest.auth/src/main/java/org/openhab/core/io/rest/auth/internal/TokenResource.java Outdated Show resolved Hide resolved
@florian-h05 @J-N-K
Apply suggestions from code review
2a68c1c 
Co-authored-by: J-N-K <github@klug.nrw>
Signed-off-by: Florian Hotze <florianh_dev@icloud.com>
@florian-h05
Copy link
Contributor Author

Done 👍

J-N-K
J-N-K approved these changes Mar 27, 2024
View reviewed changes
Copy link
Member

@J-N-K J-N-K left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@J-N-K J-N-K added bug An unexpected problem or unintended behavior of the Core REST/SSE labels Mar 27, 2024
@J-N-K J-N-K merged commit e871dcf into openhab:main Mar 27, 2024
3 checks passed
@J-N-K J-N-K added this to the 4.2 milestone Mar 27, 2024
@florian-h05 florian-h05 deleted the sessionid-cookie-samesite branch March 27, 2024 22:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@J-N-K J-N-K J-N-K approved these changes

Assignees
No one assigned
Labels
bug An unexpected problem or unintended behavior of the Core REST/SSE
Projects
None yet
Milestone
4.2
Development

Successfully merging this pull request may close these issues.

Wrong usage of SameSite cookie param in TokenResource
2 participants
@florian-h05 @J-N-K