New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle SameSite attribute for session cookie consistently #1727
Comments
https://groups.google.com/g/ops4j/c/28LykWUIqpo
|
I just found something I wasn't aware of. For Jetty, I see this code: public static SameSite getSameSiteFromComment(String comment) {
if (comment != null) {
if (comment.contains("__SAME_SITE_STRICT__")) {
return HttpCookie.SameSite.STRICT;
}
if (comment.contains("__SAME_SITE_LAX__")) {
return HttpCookie.SameSite.LAX;
}
if (comment.contains("__SAME_SITE_NONE__")) {
return HttpCookie.SameSite.NONE;
}
}
return null;
} So it should be enough (for Jetty) for you to add a cookie comment with pax-web-tomcat uses by default org.apache.tomcat.util.http.Rfc6265CookieProcessor, but its "sameSiteCookies" defaults to "unset" and it's not handled in Pax Web. in pax-web-undertow there's special io.undertow.server.handlers.SameSiteCookieHandler which could be configured as extra handler in (Karaf) etc/undertow.xml. |
I've added new configuration option (defaults to
|
…e SameSite session cookie attribute for Jetty, Tomcat and Undertow
Thanks, I just enabled/added it (Karaf 4.4.2/Jetty) and it seems to work. :-) |
Good to hear ;) |
No description provided.
The text was updated successfully, but these errors were encountered: