Setting SameSite in WildFly 19+...

[Stuart Connall]

I'm trying to find the best way to add SameSite=None to the JSESSIONID cookie and so far everything I have tried hasn't worked.

I've tried the following using the jboss-cli and it sets the secure and http-only attributes, but not the SameSite=None in the JSESSIONID browser cookie.

/subsystem=undertow/servlet-container=default/setting=session-cookie:add(comment="; SameSite=None", secure, http-only)

I've also tried using the undertow-handlers.conf, which will add the SameSite to the JSESSIONID cookie but I don't want this to occur with all deployments as some are not secure environments.

samesite-cookie(mode=None,add-secure-for-none=true)

The above only works for https as secure is required when SameSite=None.  Setting the flag to false didn't work with a non-secure environment (http).

I've also had some difficulties getting the path option to work and the doc isn't very descriptive.

Anyone have any experience setting this attribute in your JSESSIONID?

Thank you.

[Pep Grifell]

In our case,

we did this "hack" in order to see the sameSite attribute:

 public static final String SAME_SITE_NONE = "/;SameSite=None";

        String name = "some cookie name";

        String value = "some value";

String path =  SAME_SITE_NONE;

String domain = null;

int version = javax.ws.rs.core.Cookie.DEFAULT_VERSION;

String comment = null;

int maxAge = -1;

Date expiry = null;

boolean secure = true;

boolean httpOnly = true;

return new NewCookie(name,  value , path, domain, version, comment, maxAge, expiry, secure, httpOnly);

Hope it helps.

El dia dijous, 30 de setembre de 2021 a les 0:00:57 UTC+2, sconnall...@gmail.com va escriure: