[tomcat] branch master updated: Add SameSite=strict to Manager and Host Manager cookies

Tue, 15 Sep 2020 03:42:43 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/master by this push:
     new d381d87  Add SameSite=strict to Manager and Host Manager cookies
d381d87 is described below

commit d381d87005fa89d1f19d9091c0954f317c135d9d
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Sep 15 11:40:40 2020 +0100

    Add SameSite=strict to Manager and Host Manager cookies
---
 webapps/docs/changelog.xml                | 9 +++++++++
 webapps/host-manager/META-INF/context.xml | 2 ++
 webapps/manager/META-INF/context.xml      | 2 ++
 3 files changed, 13 insertions(+)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e10a44d..c5389e0 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -64,6 +64,15 @@
       </fix>
     </changelog>
   </subsection>
+  <subsection name="Web applications">
+    <changelog>
+      <add>
+        Configure the Manager and Host Manager applications to set
+        <code>SameSite=strict</code> for all cookies, including session 
cookies,
+        created by the application. (markt)
+      </add>
+    </changelog>
+  </subsection>
   <subsection name="Other">
     <changelog>
       <update>
diff --git a/webapps/host-manager/META-INF/context.xml 
b/webapps/host-manager/META-INF/context.xml
index 8d1f61d..1fa3a5a 100644
--- a/webapps/host-manager/META-INF/context.xml
+++ b/webapps/host-manager/META-INF/context.xml
@@ -16,6 +16,8 @@
   limitations under the License.
 -->
 <Context antiResourceLocking="false" privileged="true" >
+  <CookieProcessor 
className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
+                   sameSiteCookies="strict" />
   <Valve className="org.apache.catalina.valves.RemoteAddrValve"
          allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
   <Manager 
sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
diff --git a/webapps/manager/META-INF/context.xml 
b/webapps/manager/META-INF/context.xml
index 0217745..120b7ab 100644
--- a/webapps/manager/META-INF/context.xml
+++ b/webapps/manager/META-INF/context.xml
@@ -16,6 +16,8 @@
   limitations under the License.
 -->
 <Context antiResourceLocking="false" privileged="true" >
+  <CookieProcessor 
className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
+                   sameSiteCookies="strict" />
   <Valve className="org.apache.catalina.valves.RemoteAddrValve"
          allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
   <Manager 
sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to