-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 11/8/19 11:53, Mark Thomas wrote:
>> All,
>>
>> I'm looking at using "samesite" cookies within my application.
>> It looks as simple as setting the "sameSite" attribute
>> appropriately on the CookieProcessor for the <Context>, which
>> isn't there in a default configuration. So you just have to add
>> it:
>>
>> <Context [...]>
>>
>> <CookieProcessor sameSiteCookies="lax" />
>>
>> </Context>
>>
>> Cool, now my JSESSIONID cookies are coming back with the
>> SameSite=Lax parameter.
>>
>> But it also applies to all the other cookies my application
>> creates. It looks like there is no way to set/reset this
>> parameter on an individual-cookie basis. That would require a
>> change to the Servlet API, right?
>
> That would be one way to implement it - and then the app would have
> to (un)set it.
>
> Per Cookie configuration in CookieProcessor would be another way.
> I haven't thought about how that might be implemented though.
It seems that there are enough cookie parameters that the servlet spec
doesn't support[1], it might not be a bad idea to propose two new
methods to be added to the Cookie class:
public void setAttribute(String name, String value);
public String getAttribute(String name);
Then, if e.g. SameSite isn't directly supported by the Cookie APi,
applications can still:
Cookie cookie = new Cookie("my_cookie");
cookie.setAttribute("SameSite", "Strict"); // or null
>> I'm okay with SameSite being applied to ALL my cookies, but maybe
>> not everybody is. Are there any workarounds for this?
>
> Manually write your own cookie header.
Duh. Of course that will work :)
- -chris
[1] https://scotthelme.co.uk/tough-cookies/
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3FozMACgkQHPApP6U8
pFhuEBAAoGIEgFDoFfyKH85SySn/7GZEbw0EoM0lPL/09Hm9EiL4n00FBYRy/AiA
inSubQExqG+3iaNIXcBn/mQgAetCNOxXjNKeEvmcO9ljYLGAoExkqHomCSkMFEZL
AFNSei3+fYK4DHCciKKIC7n/IDbMCDxT8XM8or1rF0efvIyGa4leI9xZqew8yKjs
1/OnhsjvnLsctL/5NkBJkJF49W3Qk7Owl7tThyprqQjwnslGCXgm0gHL+/9JKERX
XSxlbsNTGgMAkx0tQU+jRPrO+nPC0FgotE8TZ7lVrpv65eMZ/hf7t7YaYlGWeaJl
EZPg8Uoigwze9vK3+C48z0ynHaBMPa/boLHfsxxgIdNGN0ouHrvFndVAzfvR9Rlk
jlmoWaAYzTqKUevosOE5sXHdlh0sHsv/DxB2DxT2v1FHiqZ2p7dyEWCzpa+BxovO
R7Ezj9l3ecVZkcmQn8UHT9nX3MZcCvjVf/EDYbiZS+TI6pq8PfMw8o5d+NO1JDIn
RtQ3mlJ7pUaqRK6+ItAGQssL9gSlUhcK/wyqXyaSCOx61eWxeKzo66YmOMi7bflV
Tz72DkSH/5Ml6AgMLiVBYA9qBtcApjMhHKYlZ+h/i2S+qKgATs8vTEfF3WZQWcV/
Eg05iDha/DpM5gcFzTewMhtNn/Hb+eR5UWHN6ogcY/YZ9qHwpx0=
=Ps3/
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
