-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 M,
On 11/8/19 10:40, M. Manna wrote: > Interesting question. > > samesite attribute is also to protect cookies from possible > cross-site attacks. Even if you have super domain cookies, using > strict/lax shouldn't make any difference for you, or does it? I was just thinking that it's obvious that Tomcat would handle the JSESSIONID cookie with respect to the SameSite policy. But the CookieProcessor affects *all* cookies for the whole application, not just those created for session-tracking. Perhaps you want different policies for different (types of) cookies. I haven't really thought of any specific use-cases, honestly. Mark's workaround of directly-generating the Set-Cookie response header is obviously the answer if you want different policies for different cookies. That just may require applications to be re-written if the administrator wants to enable e.g. SameSite=Strict for the JSESSIONID cookie, because there is no way to say "only apply this policy to JSESSIONID cookies" or anything like that. - -chris > On Fri, 8 Nov 2019 at 15:04, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > All, > > I'm looking at using "samesite" cookies within my application. It > looks as simple as setting the "sameSite" attribute appropriately > on the CookieProcessor for the <Context>, which isn't there in a > default configuration. So you just have to add it: > > <Context [...]> > > <CookieProcessor sameSiteCookies="lax" /> > > </Context> > > Cool, now my JSESSIONID cookies are coming back with the > SameSite=Lax parameter. > > But it also applies to all the other cookies my application > creates. It looks like there is no way to set/reset this parameter > on an individual-cookie basis. That would require a change to the > Servlet API, right? > > I'm okay with SameSite being applied to ALL my cookies, but maybe > not everybody is. Are there any workarounds for this? > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3FpCAACgkQHPApP6U8 pFjK7g/8COMS1JKF/X9eF9VP/ywSZV3cWJaCz5gMCzPcZC4TL+BVZIv21YdhpnjS 49rFUHz40fgq5RdRpnVLcVN0rqKYRtHHwrrmcndWqufIpiLYVC6kU8aUll/PO3Kc pPfF2bseooz5HYoHQpYqWWYUfXGNS+wNSpjAmx9qd5zJKhc9YrT3yanTk1s8yF0i jd0kguM0iN9G9MpZWctG0H7q+94xOxdluzbqvAemoN/7FhmhDHouMkRIZMfd4eRf TfziHgQ1llr1kNUaMg6mS1f6eqWXHFVZFTbSJukpY2aKHQDbhdwN+l+zYI3Irb9H Y0y3DRSUa1qZv5DNwFK8yGrM9A/Cj2dinnnL9BuOq4GmSw1JwDE7TBpz+Be7oE4d CV/cj0raV2W9/Xtul7gVgJSKwkfsYsOwjcbbbmeLNcuNHYx6HE+OKhSIMjP+c3my UyE9S6ZBa0TqI7Vd0IXXEGyRhwdtFQnNKAn7Ui69gn9zm0CbKNXk53zDImd42+At 8jLBicPyryny4Z07qHXm83O3TjjgY4JVJaSOC04sKdReIi3kcio5Co4sRTPfIXvZ zbDCuMJq840ObS9WiIrZVhORF0Nd6M4XdfsA5+n+7/mRIwRGMI3v19ariKzT1GmD XhGPxyGtDxydyIT3NGwC/SdzbMbdmCdgcNFTwkld5wohpQPMAIc= =Lfm8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
