Sorry for snipped images.
Here is the configuration added in web.xml
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
<comment>__SAME_SITE_STRICT__</comment>
</cookie-config>
</session-config>
Response Headers
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Set-Cookie: JSESSIONID=node0u99zpkbrxegr59fnxzac8m217.node0; Path=/dashboard;
Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT //Here expecting SameSite to be returned
Set-Cookie: JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT;
Max-Age=0
X-Frame-Options: DENY
Referrer-Policy: same-origin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self' https:; script-src 'self'
'sha256-jLiclQuK1N1QZInVr4VJp6uKckK7+/GGsba4nme+PRA='
'sha256-WcSfBbTthoIIuIdlLvU5spxO2l32y5Nw3Oh4jk4VnBY='; object-src 'self';
style-src 'self' 'unsafe-inline'; img-src 'self' data:; media-src 'self';
frame-src 'self'; font-src 'self'; connect-src 'self'
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 3737
Thanks
Sai
From: Joakim Erdfelt <joa...@webtide.com>
Sent: Wednesday, July 14, 2021 10:46 PM
To: Sai Sankar Challa <saisanka...@motivitylabs.com>
Cc: JETTY user mailing list <jetty-users@eclipse.org>
Subject: Re: [jetty-users] SameSite to STRICT
You are using browser developer tooling.
What does the raw HTTP Response (that sets the JSESSIONID) look like?
As in, can you copy/paste the response, in raw form (not in a table, not
post-parsed, not as an image) to this mailing list?
Joakim Erdfelt / joa...@webtide.com<mailto:joa...@webtide.com>
On Wed, Jul 14, 2021 at 11:34 AM Sai Sankar Challa
<saisanka...@motivitylabs.com<mailto:saisanka...@motivitylabs.com>> wrote:
Thanks for the response.
I am assuming this done by Jetty Server.
The URL we are trying is the very first URL i.e., login page, post login we do
have filter classes where we are doing some modifications.
Thanks
Sai
From: Joakim Erdfelt <joa...@webtide.com<mailto:joa...@webtide.com>>
Sent: Wednesday, July 14, 2021 9:49 PM
To: JETTY user mailing list
<jetty-users@eclipse.org<mailto:jetty-users@eclipse.org>>
Cc: Sai Sankar Challa
<saisanka...@motivitylabs.com<mailto:saisanka...@motivitylabs.com>>
Subject: Re: [jetty-users] SameSite to STRICT
What does the actual HTTP Response that created that JSESSIONID look like?
Joakim Erdfelt / joa...@webtide.com<mailto:joa...@webtide.com>
On Wed, Jul 14, 2021 at 11:07 AM Sai Sankar Challa via jetty-users
<jetty-users@eclipse.org<mailto:jetty-users@eclipse.org>> wrote:
Hi Team
We upgraded our Jetty version to 9.4.38.v20210224 and we want to Set 'SameSite'
attribute to 'Strict' in JSESSIONID for our portal security .
We made the code changes as per below in our web.xml and still not seeing any
difference.
<session-config>
<cookie-config>
<http-only>false</http-only>
<secure>false</secure>
<comment>__SAME_SITE_STRICT__</comment>
</cookie-config>
</session-config>
Browser Cookie
[cid:image001.png@01D77907.E5DD0C40]
Can you please through some idea to get this done .
Thanks
Sai
_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org<mailto:jetty-users@eclipse.org>
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
