[
https://issues.apache.org/jira/browse/DRILL-8522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17948266#comment-17948266
]
ASF GitHub Bot commented on DRILL-8522:
---------------------------------------
rymarm opened a new pull request, #2985:
URL: https://github.com/apache/drill/pull/2985
# [DRILL-8522](https://issues.apache.org/jira/browse/DRILL-8522): Change
session cookie name. Use STRICT sameSite
Drill uses Jetty's default cookie name, JSESSIONID, to store the user
session ID.
Because JSESSIONID is a generic name, multiple web services running on the
same host can conflict if they use the same cookie name.
## Description
Instead of the generic `JSESSIONID` cookie name, Drill will now use
`Drill-Session-Id` for HTTP and `__Secure-Drill-Session-Id` for HTTPS. For
HTTPS used `__Secure-` prefix to ensure the cookie is set from secure origin:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#cookie_prefixes
Additionally, the cookie's `sameSite` attribute is now set to `STRICT` for
improved security. More info about this configuration you can find here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#controlling_third-party_cookies_with_samesite
## Documentation
\-
## Testing
Manual tests
> Change session cookie name to avoid conflicts
> ---------------------------------------------
>
> Key: DRILL-8522
> URL: https://issues.apache.org/jira/browse/DRILL-8522
> Project: Apache Drill
> Issue Type: Improvement
> Affects Versions: 1.21.2
> Reporter: Maksym Rymar
> Assignee: Maksym Rymar
> Priority: Minor
> Fix For: 1.22.0
>
>
> Drill uses Jetty's default cookie name, {{{}JSESSIONID{}}}, to store the user
> session ID.
>
> Because {{JSESSIONID}} is a generic name, multiple web services running on
> the same host can conflict if they use the same cookie name.
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
