Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle SameSite attribute for session cookie consistently #1727

Closed
grgrzybek opened this issue Jun 17, 2022 · 5 comments
Closed

Handle SameSite attribute for session cookie consistently #1727

grgrzybek opened this issue Jun 17, 2022 · 5 comments
Assignees
@grgrzybek
Labels
type: new feature New Feature
Milestone
8.0.5

Comments

@grgrzybek
Copy link
Member

No description provided.

@grgrzybek grgrzybek added the type: new feature New Feature label Jun 17, 2022
@grgrzybek grgrzybek added this to the 8.0.5 milestone Jun 17, 2022
@grgrzybek grgrzybek self-assigned this Jun 17, 2022
@grgrzybek
Copy link
Member Author

https://groups.google.com/g/ops4j/c/28LykWUIqpo

Is it somehow possible to append a SameSite=[None|Lax|Strict] attribute to the default Cookie "JSESSIONID" or to disable it at all?

IS:
JSESSIONID=node010lhb2y6ihrdb13l2ip7p4ihdb4.node0; Path=/; HttpOnly

SHOULD:
JSESSIONID=node010lhb2y6ihrdb13l2ip7p4ihdb4.node0; Path=/; HttpOnly; SameSite=Strict

@grgrzybek
Copy link
Member Author

grgrzybek commented Jun 28, 2022
edited

I just found something I wasn't aware of. For Jetty, I see this code:

public static SameSite getSameSiteFromComment(String comment) {
    if (comment != null) {
        if (comment.contains("__SAME_SITE_STRICT__")) {
            return HttpCookie.SameSite.STRICT;
        }
        if (comment.contains("__SAME_SITE_LAX__")) {
            return HttpCookie.SameSite.LAX;
        }
        if (comment.contains("__SAME_SITE_NONE__")) {
            return HttpCookie.SameSite.NONE;
        }
    }
    return null;
}

So it should be enough (for Jetty) for you to add a cookie comment with __SAME_SITE_STRICT__.

pax-web-tomcat uses by default org.apache.tomcat.util.http.Rfc6265CookieProcessor, but its "sameSiteCookies" defaults to "unset" and it's not handled in Pax Web.

in pax-web-undertow there's special io.undertow.server.handlers.SameSiteCookieHandler which could be configured as extra handler in (Karaf) etc/undertow.xml.

@grgrzybek grgrzybek changed the title Handle SameSite cookie attribute consistently Handle SameSite attribute for session cookie consistently Jun 28, 2022
@grgrzybek
Copy link
Member Author

grgrzybek commented Jun 28, 2022
edited

I've added new configuration option (defaults to unset) to org.ops4j.pax.web PID. When installing relevant Karaf feature (pax-web-jetty, pax-web-tomcat or pax-web-undertow), the etc/org.ops4j.pax.web.cfg file will contain:

# SameSite attribute configuration for session cookie (possible values: none, lax, strict)
#org.ops4j.pax.web.session.cookie.sameSite = strict

grgrzybek added a commit that referenced this issue Jun 28, 2022
@grgrzybek
[#1727] Add org.ops4j.pax.web.session.cookie.sameSite option to handl…
4078698 
…e SameSite session cookie attribute for Jetty, Tomcat and Undertow
@grgrzybek grgrzybek mentioned this issue Sep 13, 2022
Closed
@olfuerniss
Copy link

olfuerniss commented Nov 10, 2022
edited

Thanks, I just enabled/added it (Karaf 4.4.2/Jetty) and it seems to work. :-)

@grgrzybek
Copy link
Member Author

Good to hear ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@grgrzybek grgrzybek

Labels
type: new feature New Feature
Projects
None yet
Milestone
8.0.5
Development

No branches or pull requests
2 participants
@grgrzybek @olfuerniss