Re: SameSite attribute handling
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Abirami, On 7/6/20 12:16, S Abirami wrote: > I have used setHeader, addCookie for that also it is getting > twice Of course it is, if Tomcat is automatically adding a Cookie to the response for you. > Only after, disabling cookie false in context.xml setHeader for > cookie is working. What exact version of Tomcat are you using? What is the problem you are trying to solve? If you are setting sameSiteCookies to something other than "unset", then it will affect all cookies for which Tomcat generates a "Set-Cookie" header. > I tried option also ?? - From your original post: > Context changes reflecting issue in tenable vulnerable. I'm not sure I understand what you are saying, here. Can you explain in a different way? - -chris > -Original Message- From: Christopher Schultz > Sent: Thursday, July 2, 2020 11:07 > PM To: Tomcat Users List Subject: Re: > SameSite attribute handling > > Abirami, > > On 7/1/20 03:06, S Abirami wrote: >> We can add the samesite attribute in set-cookie header through >> context.xml entry in tomcat. Is there any other way, can we add >> samesite attribute in response of set-cookie header. > Not for Tomcat-generated cookies, and not for cookies added to the > response like this: > > response.addCookie(myCookie); > > This is because the Servlet API hasn't yet caught up with > state-of-the-art. > > You can, however, craft your own Set-Cookie response header like > this: > > response.addHeader("Set-Cookie", "CookieName=value; > SameSite=Strict"); > > Remember that there are rules about the composition of the cookie's > name, value, etc. that Tomcat enforces for you that you will have > to handel yourself. > >> I tried with filter by using setHeader but it is sending two >> set-Cookie header. > > Correct: you will have to use *either* setCookie() or setHeader(). > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8DX2YACgkQHPApP6U8 pFgcSxAArdXTwk0pPdSEjSX141D2mDyD1kHKrZdYDjx/xF/NOphvIQCE2aa2baDG 38hmlmwL8x4CaNs0DJa3Wbnq2MDnnzUlZAbxHlLpaLuFedJgkuKLMSz9ZOZpqD6G 1yDw1rTF2ipxJ5lD9/2gzC9Sx8PZumieKNJhYIhLgT+m8jMg6z6zABsSJ7rkIydg ypUwB6EVFsWnKTmC1UwCRYukjZLE4OhMem5WTnAg98aTdGSzdrU3POdwRTfmbYXa qhVp0+Ig95pvODmxM1MEwgKlZxj4p8ToRClxkB8A3t3E4pp1TreEVemj3lHCKu8b npT+ZqcrMa5evswUflvP+7bTzDuM1Y9Bc8K3ZDNM2hKs0KCxAHiZgI02RTZJFUXm eQN8mmv4FrCtWGUKgAcRcZdlPmT7WNBxhZnDe8n0WGJPNEZ2Gu7sLhjAhIvwz/DU cHVvHrq7QMSBrRFpiBW4KkjS18P6nhSN6P22ex3GVa0cpj6+EVbuIc0LFSJ8YlqI AO/t4WGte0TeF5WaxaCKS6+ZQvWRe1S+YACXi0mstbB6TSYKnYFJRzonw2sCLF3K ic58arJzXlqpd9qWv424vP5QhG2FChXSPXctgkk75PZWtZfcqc9qXBN0ZrRAoclv LfSGXPG4YSWQ3uZ9t5Ia1UQ9h6btGHZGuYZGrMkvJJ5Ksj8u9Rg= =QssU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SameSite attribute handling
Hi Christopher, I have used setHeader, addCookie for that also it is getting twice Only after, disabling cookie false in context.xml setHeader for cookie is working. I tried option also Regards, Abirami.S -Original Message- From: Christopher Schultz Sent: Thursday, July 2, 2020 11:07 PM To: Tomcat Users List Subject: Re: SameSite attribute handling -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Abirami, On 7/1/20 03:06, S Abirami wrote: > We can add the samesite attribute in set-cookie header through > context.xml entry in tomcat. Is there any other way, can we add > samesite attribute in response of set-cookie header. Not for Tomcat-generated cookies, and not for cookies added to the response like this: response.addCookie(myCookie); This is because the Servlet API hasn't yet caught up with state-of-the-art. You can, however, craft your own Set-Cookie response header like this: response.addHeader("Set-Cookie", "CookieName=value; SameSite=Strict"); Remember that there are rules about the composition of the cookie's name, value, etc. that Tomcat enforces for you that you will have to handel yourself. > I tried with filter by using setHeader but it is sending two > set-Cookie header. Correct: you will have to use *either* setCookie() or setHeader(). - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://protect2.fireeye.com/v1/url?k=e0a38852-be03323c-e0a3c8c9-86b1886cfa64-a04f2de4a687fd81=1=a3c49822-9bd3-43bd-ab88-cf37edfe243e=https%3A%2F%2Fwww.enigmail.net%2F iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7+GyYACgkQHPApP6U8 pFiSqBAAhG9IHJXD4ec6TQD1F2o9CIbRyHSkVYrAl0miT5cz6BkhuqG7uEnpUw66 8m3oe6CCG1syEliyyHM3A7ySXGEYm54otp4A0GRkcK64kd+RwQKKV5JsSp0xFxtG dqKRtPGKJL7sQ+kaa4Qo2KqAa7ntQFTRVhg44Lofj8usiu/az5Kg6y8gSgQ/3I2Y n75PCchaMHsilvSIm3sztR6MpoeRXevv7/93LfI1xzyN6Rg1mE0xivKReQfryMeT sySwz3S1kZgOb3y+xUgSdL0HNSzT+IoKX58UTrMnmnWRS1hnJ30Fu21Nki+ygyZi iikJCYi8Fv2SjkvQh+klgVMsr/QxYvYIBKof0Tf4n8/gU6ABy9ZVUdiTeezATytT Kh5r2C6I+nk9/Osl9s9pHauqzQ/evwjPe/d0eJXkHILam09KB6wqnJ4m3Gq9NcYc S9f5vjTuScncrVn9+GTvr29onrhI8gh7BRTmYehgHaqt7Hl7alLeNV7ccIOjjYOY qqC+qXDydaHUBBgappAnZnHepNPSKn0kjKhi63gsjoBVXnLmgR7mYUWwmvoPb+/t E3T5PL73/cjxBNPk/THao0JI+3UoDlQG4rsZL/wxo7q1ZGzbtrbUrr+7Q7pDBY+y 3YhzVFu68xHkH0Tch3UxFn2qvPXToPHNCzSXDi9Dm5IuGf49UKc= =97wq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SameSite attribute handling
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Abirami, On 7/1/20 03:06, S Abirami wrote: > We can add the samesite attribute in set-cookie header through > context.xml entry in tomcat. Is there any other way, can we add > samesite attribute in response of set-cookie header. Not for Tomcat-generated cookies, and not for cookies added to the response like this: response.addCookie(myCookie); This is because the Servlet API hasn't yet caught up with state-of-the-art. You can, however, craft your own Set-Cookie response header like this: response.addHeader("Set-Cookie", "CookieName=value; SameSite=Strict"); Remember that there are rules about the composition of the cookie's name, value, etc. that Tomcat enforces for you that you will have to handel yourself. > I tried with filter by using setHeader but it is sending two > set-Cookie header. Correct: you will have to use *either* setCookie() or setHeader(). - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7+GyYACgkQHPApP6U8 pFiSqBAAhG9IHJXD4ec6TQD1F2o9CIbRyHSkVYrAl0miT5cz6BkhuqG7uEnpUw66 8m3oe6CCG1syEliyyHM3A7ySXGEYm54otp4A0GRkcK64kd+RwQKKV5JsSp0xFxtG dqKRtPGKJL7sQ+kaa4Qo2KqAa7ntQFTRVhg44Lofj8usiu/az5Kg6y8gSgQ/3I2Y n75PCchaMHsilvSIm3sztR6MpoeRXevv7/93LfI1xzyN6Rg1mE0xivKReQfryMeT sySwz3S1kZgOb3y+xUgSdL0HNSzT+IoKX58UTrMnmnWRS1hnJ30Fu21Nki+ygyZi iikJCYi8Fv2SjkvQh+klgVMsr/QxYvYIBKof0Tf4n8/gU6ABy9ZVUdiTeezATytT Kh5r2C6I+nk9/Osl9s9pHauqzQ/evwjPe/d0eJXkHILam09KB6wqnJ4m3Gq9NcYc S9f5vjTuScncrVn9+GTvr29onrhI8gh7BRTmYehgHaqt7Hl7alLeNV7ccIOjjYOY qqC+qXDydaHUBBgappAnZnHepNPSKn0kjKhi63gsjoBVXnLmgR7mYUWwmvoPb+/t E3T5PL73/cjxBNPk/THao0JI+3UoDlQG4rsZL/wxo7q1ZGzbtrbUrr+7Q7pDBY+y 3YhzVFu68xHkH0Tch3UxFn2qvPXToPHNCzSXDi9Dm5IuGf49UKc= =97wq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SameSite attribute handling
Hi All, We can add the samesite attribute in set-cookie header through context.xml entry in tomcat. Is there any other way, can we add samesite attribute in response of set-cookie header. Context changes reflecting issue in tenable vulnerable. Hence looking for any other way. I tried with filter by using setHeader but it is sending two set-Cookie header. Regards, Abirami.S