On Fri, Nov 8, 2019 at 4:04 PM Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > All, > > I'm looking at using "samesite" cookies within my application. It > looks as simple as setting the "sameSite" attribute appropriately on > the CookieProcessor for the <Context>, which isn't there in a default > configuration. So you just have to add it: > > <Context [...]> > > <CookieProcessor sameSiteCookies="lax" /> > > </Context> > > Cool, now my JSESSIONID cookies are coming back with the SameSite=Lax > parameter. > > But it also applies to all the other cookies my application creates. > It looks like there is no way to set/reset this parameter on an > individual-cookie basis. That would require a change to the Servlet > API, right? > > I'm okay with SameSite being applied to ALL my cookies, but maybe not > everybody is. Are there any workarounds for this? > The Servlet API has no remove cookie API. If you use a Valve, you can remove cookies using Response.getCookies and then remove from the list. But this is not really the problem here since the same site thing is added when the cookie header is generated. You can extend the CookieGenerator to add more flexibility for your use case maybe ? Rémy
