Hello
Unfortunately you can't disable sessions entirely in Pax Web. Session (and security) support is added by default for all (Jetty, Tomcat, Undertow) runtimes.
Same for additional elements of the session cookie. Pax Web maps this web.xml configuration for session cookie:
<cookie-config>
<name>token</name>
<domain>token</domain>
<path>token</path>
<comment>token</comment>
<http-only>true</http-only>
<secure>true</secure>
<max-age>100</max-age>
</cookie-config>
And you can configure these using the org.ops4j.pax.web PID:
- org.ops4j.pax.web.session.cookie.domain
- org.ops4j.pax.web.session.cookie.path
- org.ops4j.pax.web.session.cookie.comment
- org.ops4j.pax.web.session.cookie.httpOnly
- org.ops4j.pax.web.session.cookie.secure
- org.ops4j.pax.web.session.cookie.maxAge
even from javax.servlet.http.Cookie API point of view, I don't see anything related to SameSite...
BUT!
I just found something I wasn't aware of. For Jetty, I see this code:
public static SameSite getSameSiteFromComment(String comment) {
if (comment != null) {
if (comment.contains("__SAME_SITE_STRICT__")) {
return HttpCookie.SameSite.STRICT;
}
if (comment.contains("__SAME_SITE_LAX__")) {
return HttpCookie.SameSite.LAX;
}
if (comment.contains("__SAME_SITE_NONE__")) {
return HttpCookie.SameSite.NONE;
}
}
return null;
}
So it should be enough (for Jetty) for you to add a cookie comment with "__SAME_SITE_STRICT__".
pax-web-tomcat uses by default org.apache.tomcat.util.http.Rfc6265CookieProcessor, but its "sameSiteCookies" defaults to "unset" and it's not handled in Pax Web.
in pax-web-undertow there's special io.undertow.server.handlers.SameSiteCookieHandler which could be configured as extra handler in (Karaf) etc/undertow.xml.
But I agree - there should be a unified way to support SameSite attribute of session cookie.
regards
Grzegorz Grzybek