Re: SameSite attribute handling

2020-07-06 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Abirami,

On 7/6/20 12:16, S Abirami wrote:
> I have used setHeader, addCookie for that also  it is getting
> twice

Of course it is, if Tomcat is automatically adding a Cookie to the
response for you.

> Only after, disabling cookie false in context.xml  setHeader for
> cookie is working.

What exact version of Tomcat are you using?

What is the problem you are trying to solve?

If you are setting sameSiteCookies to something other than "unset",
then it will affect all cookies for which Tomcat generates a
"Set-Cookie" header.

> I tried option also
??

- From your original post:

> Context changes reflecting issue in tenable vulnerable.

I'm not sure I understand what you are saying, here. Can you explain
in a different way?

- -chris

> -Original Message- From: Christopher Schultz
>  Sent: Thursday, July 2, 2020 11:07
> PM To: Tomcat Users List  Subject: Re:
> SameSite attribute handling
>
> Abirami,
>
> On 7/1/20 03:06, S Abirami wrote:
>> We can add the samesite attribute in set-cookie header through
>> context.xml entry in tomcat. Is there any other way, can we add
>> samesite attribute in response of set-cookie header.
> Not for Tomcat-generated cookies, and not for cookies added to the
> response like this:
>
> response.addCookie(myCookie);
>
> This is because the Servlet API hasn't yet caught up with
> state-of-the-art.
>
> You can, however, craft your own Set-Cookie response header like
> this:
>
> response.addHeader("Set-Cookie", "CookieName=value;
> SameSite=Strict");
>
> Remember that there are rules about the composition of the cookie's
> name, value, etc. that Tomcat enforces for you that you will have
> to handel yourself.
>
>> I tried with filter by using setHeader but it is sending two
>> set-Cookie header.
>
> Correct: you will have to use *either* setCookie() or setHeader().
>
> -chris
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8DX2YACgkQHPApP6U8
pFgcSxAArdXTwk0pPdSEjSX141D2mDyD1kHKrZdYDjx/xF/NOphvIQCE2aa2baDG
38hmlmwL8x4CaNs0DJa3Wbnq2MDnnzUlZAbxHlLpaLuFedJgkuKLMSz9ZOZpqD6G
1yDw1rTF2ipxJ5lD9/2gzC9Sx8PZumieKNJhYIhLgT+m8jMg6z6zABsSJ7rkIydg
ypUwB6EVFsWnKTmC1UwCRYukjZLE4OhMem5WTnAg98aTdGSzdrU3POdwRTfmbYXa
qhVp0+Ig95pvODmxM1MEwgKlZxj4p8ToRClxkB8A3t3E4pp1TreEVemj3lHCKu8b
npT+ZqcrMa5evswUflvP+7bTzDuM1Y9Bc8K3ZDNM2hKs0KCxAHiZgI02RTZJFUXm
eQN8mmv4FrCtWGUKgAcRcZdlPmT7WNBxhZnDe8n0WGJPNEZ2Gu7sLhjAhIvwz/DU
cHVvHrq7QMSBrRFpiBW4KkjS18P6nhSN6P22ex3GVa0cpj6+EVbuIc0LFSJ8YlqI
AO/t4WGte0TeF5WaxaCKS6+ZQvWRe1S+YACXi0mstbB6TSYKnYFJRzonw2sCLF3K
ic58arJzXlqpd9qWv424vP5QhG2FChXSPXctgkk75PZWtZfcqc9qXBN0ZrRAoclv
LfSGXPG4YSWQ3uZ9t5Ia1UQ9h6btGHZGuYZGrMkvJJ5Ksj8u9Rg=
=QssU
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: SameSite attribute handling

2020-07-06 Thread S Abirami
Hi Christopher,

I have used setHeader, addCookie for that also  it is getting twice
Only after, disabling cookie false in context.xml  setHeader for cookie is 
working.

I tried option also


Regards,
Abirami.S

-Original Message-
From: Christopher Schultz  
Sent: Thursday, July 2, 2020 11:07 PM
To: Tomcat Users List 
Subject: Re: SameSite attribute handling

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Abirami,

On 7/1/20 03:06, S Abirami wrote:
> We can add the samesite attribute in set-cookie header through 
> context.xml entry in tomcat. Is there any other way, can we add 
> samesite attribute in response of set-cookie header.
Not for Tomcat-generated cookies, and not for cookies added to the response 
like this:

  response.addCookie(myCookie);

This is because the Servlet API hasn't yet caught up with state-of-the-art.

You can, however, craft your own Set-Cookie response header like this:

  response.addHeader("Set-Cookie", "CookieName=value; SameSite=Strict");

Remember that there are rules about the composition of the cookie's name, 
value, etc. that Tomcat enforces for you that you will have to handel yourself.

> I tried with filter by using setHeader but it is sending two 
> set-Cookie header.

Correct: you will have to use *either* setCookie() or setHeader().

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - 
https://protect2.fireeye.com/v1/url?k=e0a38852-be03323c-e0a3c8c9-86b1886cfa64-a04f2de4a687fd81=1=a3c49822-9bd3-43bd-ab88-cf37edfe243e=https%3A%2F%2Fwww.enigmail.net%2F

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7+GyYACgkQHPApP6U8
pFiSqBAAhG9IHJXD4ec6TQD1F2o9CIbRyHSkVYrAl0miT5cz6BkhuqG7uEnpUw66
8m3oe6CCG1syEliyyHM3A7ySXGEYm54otp4A0GRkcK64kd+RwQKKV5JsSp0xFxtG
dqKRtPGKJL7sQ+kaa4Qo2KqAa7ntQFTRVhg44Lofj8usiu/az5Kg6y8gSgQ/3I2Y
n75PCchaMHsilvSIm3sztR6MpoeRXevv7/93LfI1xzyN6Rg1mE0xivKReQfryMeT
sySwz3S1kZgOb3y+xUgSdL0HNSzT+IoKX58UTrMnmnWRS1hnJ30Fu21Nki+ygyZi
iikJCYi8Fv2SjkvQh+klgVMsr/QxYvYIBKof0Tf4n8/gU6ABy9ZVUdiTeezATytT
Kh5r2C6I+nk9/Osl9s9pHauqzQ/evwjPe/d0eJXkHILam09KB6wqnJ4m3Gq9NcYc
S9f5vjTuScncrVn9+GTvr29onrhI8gh7BRTmYehgHaqt7Hl7alLeNV7ccIOjjYOY
qqC+qXDydaHUBBgappAnZnHepNPSKn0kjKhi63gsjoBVXnLmgR7mYUWwmvoPb+/t
E3T5PL73/cjxBNPk/THao0JI+3UoDlQG4rsZL/wxo7q1ZGzbtrbUrr+7Q7pDBY+y
3YhzVFu68xHkH0Tch3UxFn2qvPXToPHNCzSXDi9Dm5IuGf49UKc=
=97wq
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SameSite attribute handling

2020-07-02 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Abirami,

On 7/1/20 03:06, S Abirami wrote:
> We can add the samesite attribute in set-cookie header through
> context.xml entry in tomcat. Is there any other way, can we add
> samesite attribute in response of set-cookie header.
Not for Tomcat-generated cookies, and not for cookies added to the
response like this:

  response.addCookie(myCookie);

This is because the Servlet API hasn't yet caught up with
state-of-the-art.

You can, however, craft your own Set-Cookie response header like this:

  response.addHeader("Set-Cookie", "CookieName=value; SameSite=Strict");

Remember that there are rules about the composition of the cookie's
name, value, etc. that Tomcat enforces for you that you will have to
handel yourself.

> I tried with filter by using setHeader but it is sending two
> set-Cookie header.

Correct: you will have to use *either* setCookie() or setHeader().

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7+GyYACgkQHPApP6U8
pFiSqBAAhG9IHJXD4ec6TQD1F2o9CIbRyHSkVYrAl0miT5cz6BkhuqG7uEnpUw66
8m3oe6CCG1syEliyyHM3A7ySXGEYm54otp4A0GRkcK64kd+RwQKKV5JsSp0xFxtG
dqKRtPGKJL7sQ+kaa4Qo2KqAa7ntQFTRVhg44Lofj8usiu/az5Kg6y8gSgQ/3I2Y
n75PCchaMHsilvSIm3sztR6MpoeRXevv7/93LfI1xzyN6Rg1mE0xivKReQfryMeT
sySwz3S1kZgOb3y+xUgSdL0HNSzT+IoKX58UTrMnmnWRS1hnJ30Fu21Nki+ygyZi
iikJCYi8Fv2SjkvQh+klgVMsr/QxYvYIBKof0Tf4n8/gU6ABy9ZVUdiTeezATytT
Kh5r2C6I+nk9/Osl9s9pHauqzQ/evwjPe/d0eJXkHILam09KB6wqnJ4m3Gq9NcYc
S9f5vjTuScncrVn9+GTvr29onrhI8gh7BRTmYehgHaqt7Hl7alLeNV7ccIOjjYOY
qqC+qXDydaHUBBgappAnZnHepNPSKn0kjKhi63gsjoBVXnLmgR7mYUWwmvoPb+/t
E3T5PL73/cjxBNPk/THao0JI+3UoDlQG4rsZL/wxo7q1ZGzbtrbUrr+7Q7pDBY+y
3YhzVFu68xHkH0Tch3UxFn2qvPXToPHNCzSXDi9Dm5IuGf49UKc=
=97wq
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org