Chris, With "having control on the server but not on the application" I meant that I could make changes on the server, but I have no control to make modification on the application code. My concern with the changed Chrome behavior regarding the same site cookie attribute (https://www.chromestatus.com/feature/5088147346030592) is that assuming "lax" as default value of the same site attribute would break some specific authentication scenarios. Here I am concerned particularly with the same site attribute of the JSESSIONID cookie. In a valve I can modify a header when the valve is invoked and before it calls the next valve in the chain, but at that time the JSESSIONID cookie may not be issued yet. And when the control comes back to the valve on the way back it may be too late to change the header value. In Tomcat 8 and above the same site attribute can be specified as a configuration to the CookieProcessor implementation. Is it possible to achieve this reliably in Tomcat 7?
Lazar On Fri, Jan 31, 2020 at 6:03 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Lazar, > > On 1/30/20 12:25 PM, Lazar Kirchev wrote: > > The problem is that I cannot make it from within the application. I > > have no control on the application, only on the server, so I have > > to be able to set the cookie either in a server configuration or in > > a component which will reside in the server. > > It's not clear to me what you mean by "server". Usually, the > application runs on the server, so if you only have control of the > server... you have control of the application. > > > I am concerned particularly with the SameSite attribute of the > > JSESSIONID cookie because of the new behavior of Chrome 80 - > > https://www.chromestatus.com/feature/5088147346030592 > > What is your specific concern? > > > I was considering to have a valve which modifies the Set-Cookie > > header. But I if the application flushes the output stream the > > headers will be written to the socket and the valve will not have > > the chance to modify the cookie. > You can use a <Valve> which can intercept the calls to setHeader(), > etc. to correct the header value. > > Which cookie are you trying to modify? > > - -chris > > > On Tue, Jan 28, 2020 at 5:27 PM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > John, > > > > On 1/27/20 9:37 AM, John Dale wrote: > >>>> Over the years I found it more productive to manage my own > >>>> headers for the most part. > >>>> > >>>> The key for us has been keeping the code clean and > >>>> manageable. > > > > +1 > > > > But there isn't any reason not to use Tomcat's header parsing. If > > you have anything that could be considered odd, you should encode > > it in a safe way that doesn't require that you play other games > > with the cookie value. > > > > For example, base64 encoding a cookie value should make it > > header-safe, as long as you make sure to use a base64 encoder that > > doesn't add newlines. > > > > -chris > > > >>>> On 1/27/20, Lazar Kirchev <lazar.kirc...@gmail.com> wrote: > >>>>> Hello, > >>>>> > >>>>> In Tomcat >= 8 there is the CookieProcessor in which > >>>>> cookie configurations could be made, including for SameSite > >>>>> cookie. Is there any way to configure this in Tomcat 7? Or > >>>>> the only way is to configure it manually in code? > >>>>> > >>>>> Kind regards, Lazar > >>>>> > >>>> > >>>> ------------------------------------------------------------------- > - -- > >>>> > >>>> > > > >>>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>> For additional commands, e-mail: > >>>> users-h...@tomcat.apache.org > >>>> > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl40T9gACgkQHPApP6U8 > pFhtmxAAgbipkJUvbAl5RkPw0/F2jXhUD03TRqD1fouMaVDWx+FcbhbMXxcrYQpA > XYvkRZKj2xbpaKz1Kmy0dSTwBTlJU2ZC8/ZosxGC8c0MBqXyEgxdC0/1zPN0u03j > Oa/L8nl+MNlHcA9OFtj8JoDg3VQmoJ86wsqNGtVEJa6M6lJoxnPLp7asFbJwWjGR > jHqG6kbeDZFvuJbZ1KraKntPA4bYB3tutil5QBzVhu/jb7gn7pXnZW24Jxk/Qg5p > vufLshRUsBfhHqSTw1GBiDlzcNmvZov2ZNfj92wVqiofu82/AKVjmWJ/n3ogie12 > boxX29Jkbir2k6+/Pd4VquAxNTxdLYliENhNsvWuMTclRf1vzszt2WL7C/lwn25S > EOWVTLTiujxHt6kzj/1tFlhpnijF+MNCulD8LuZ/IX4hEP+eqb0Dk+B/87yYRlA/ > UkigrhgRb0+ooMijewnjBy67mZl1Hdgim193DKrt89fjRKbLo8TAW6nLRzcnNKdu > BzzewqW7L2WHwHnt+v05s38yCw+hUkqxqBh8Vfw68EmQQAXmMQsF+lp5By//2g+X > LWth0k0YjuYU+JcROKr/VSfByBs5VnveuNctQEZmxfqO6s8DjnrsfQdz6FnOZ9xd > 2QuRWjgUjKMFB8j+V9z+pC6C5fjN+YP/c4LXO+KMQ5KwJh5YksQ= > =cHov > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
