Cookies with SamSite=None|Lax|Strict
216 views
Skip to first unread message
Oliver Fürniß
Jun 16, 2022, 8:32:53 AM6/16/22
to OPS4J
Hi,
I'm using Karaf 4.3.7, pax-web 7.3.25 (Jetty) and CXF 3.5.2
Is it somehow possible to append a SameSite=[None|Lax|Strict] attribute to the default Cookie "JSESSIONID" or to disable it at all?
IS:
IS:
JSESSIONID=node010lhb2y6ihrdb13l2ip7p4ihdb4.node0; Path=/; HttpOnly
SHOULD:
JSESSIONID=node010lhb2y6ihrdb13l2ip7p4ihdb4.node0; Path=/; HttpOnly; SameSite=Strict
All the best
Oliver
Grzegorz Grzybek
Jun 17, 2022, 3:04:54 AM6/17/22
to op...@googlegroups.com
Hello
Unfortunately you can't disable sessions entirely in Pax Web. Session (and security) support is added by default for all (Jetty, Tomcat, Undertow) runtimes.
Same for additional elements of the session cookie. Pax Web maps this web.xml configuration for session cookie:
<cookie-config>
<name>token</name>
<domain>token</domain>
<path>token</path>
<comment>token</comment>
<http-only>true</http-only>
<secure>true</secure>
<max-age>100</max-age>
</cookie-config>
<name>token</name>
<domain>token</domain>
<path>token</path>
<comment>token</comment>
<http-only>true</http-only>
<secure>true</secure>
<max-age>100</max-age>
</cookie-config>
And you can configure these using the org.ops4j.pax.web PID:
- org.ops4j.pax.web.session.cookie.domain
- org.ops4j.pax.web.session.cookie.path
- org.ops4j.pax.web.session.cookie.comment
- org.ops4j.pax.web.session.cookie.httpOnly
- org.ops4j.pax.web.session.cookie.secure
- org.ops4j.pax.web.session.cookie.maxAge
even from javax.servlet.http.Cookie API point of view, I don't see anything related to SameSite...
BUT!
I just found something I wasn't aware of. For Jetty, I see this code:
public static SameSite getSameSiteFromComment(String comment) {
if (comment != null) {
if (comment.contains("__SAME_SITE_STRICT__")) {
return HttpCookie.SameSite.STRICT;
}
if (comment.contains("__SAME_SITE_LAX__")) {
return HttpCookie.SameSite.LAX;
}
if (comment.contains("__SAME_SITE_NONE__")) {
return HttpCookie.SameSite.NONE;
}
}
return null;
}
if (comment != null) {
if (comment.contains("__SAME_SITE_STRICT__")) {
return HttpCookie.SameSite.STRICT;
}
if (comment.contains("__SAME_SITE_LAX__")) {
return HttpCookie.SameSite.LAX;
}
if (comment.contains("__SAME_SITE_NONE__")) {
return HttpCookie.SameSite.NONE;
}
}
return null;
}
So it should be enough (for Jetty) for you to add a cookie comment with "__SAME_SITE_STRICT__".
pax-web-tomcat uses by default org.apache.tomcat.util.http.Rfc6265CookieProcessor, but its "sameSiteCookies" defaults to "unset" and it's not handled in Pax Web.
in pax-web-undertow there's special io.undertow.server.handlers.SameSiteCookieHandler which could be configured as extra handler in (Karaf) etc/undertow.xml.
But I agree - there should be a unified way to support SameSite attribute of session cookie.
I've created https://github.com/ops4j/org.ops4j.pax.web/issues/1727 to track this issue in Pax Web 8.
regards
Grzegorz Grzybek
--
--
------------------
OPS4J - http://www.ops4j.org - op...@googlegroups.com
---
You received this message because you are subscribed to the Google Groups "OPS4J" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ops4j+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ops4j/4fc23707-f9c6-4ae0-af1e-d7ee5af07237n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages