[
https://issues.apache.org/jira/browse/MYFACES-4417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17426588#comment-17426588
]
Melloware commented on MYFACES-4417:
------------------------------------
If anyone reading this uses Jboss or any Undertow servlet container you can use
this SessionListener hack to set the SameSite on all JSESSIONID cookies.
{code:java}
@Slf4j
@WebListener
public class SecureCookieServletContextListener implements
ServletContextListener {
/**
* Override environment behavior by forcing the secure cookie = false with an
* environment variable.
*/
private Boolean secureCookie = true;
/**
* Override environment behavior by allowing ROOT.WAR to disable this
* functionality.
*/
private Boolean enabled = true;
/**
* Default to Strict unless otherwise specified
*/
private String sameSiteMode = "Strict";
@Override
public void contextInitialized(final ServletContextEvent sce) {
if (!enabled.booleanValue()) {
return;
}
// default to secure
boolean httpOnly = secureCookie.booleanValue();
boolean secure = secureCookie.booleanValue();
String sameSite = sameSiteMode;
// replace this code with your own for detecting your environment
switch (environment.getConfiguredEnvironmentEnum()) {
case LOCAL:
case DEV:
// local environment can be insecure
httpOnly = false;
secure = false;
sameSite = "None";
break;
default:
break;
}
final ServletContext context = sce.getServletContext();
final SessionCookieConfig cookieConfig = context.getSessionCookieConfig();
// hack to add RFC-265 SameSite=Strict to cookies
if (secure) {
try {
final Field field =
FieldUtils.getField(SessionCookieConfigImpl.class, "delegate", true);
FieldUtils.removeFinalModifier(field);
FieldUtils.writeField(field, cookieConfig, new
SameSiteSessionCookieConfig(sameSite), true);
} catch (final Throwable ex) {
LOG.error("Unable to update SessionCookieConfig with SameSite
handler.", ex);
}
}
cookieConfig.setHttpOnly(httpOnly);
cookieConfig.setSecure(secure);
LOG.info("Initializing SecureCookieServletContextListener. HttpOnly={},
Secure={}, SameSite={}", httpOnly, secure,
sameSiteMode);
}
@Override
public void contextDestroyed(final ServletContextEvent sce) {
LOG.info("Destroying SecureCookieServletContextListener ...");
}
/**
* RCS-265 cookie specification now includes a SameSite option which is
* either "None, Lax, or Strict". It was not included in Servlet 4.0
* specification but Undertow did add support for it under the covers. This
* custom cookie configuration allows access to those properties to set to
* Strict which allows only the site the cookie was created from to access it
* and not send to any third parties.
*
* @see https://blog.heroku.com/chrome-changes-samesite-cookie
*/
public class SameSiteSessionCookieConfig extends
io.undertow.server.session.SessionCookieConfig {
private final String sameSite;
public SameSiteSessionCookieConfig(final String sameSiteMode) {
sameSite = sameSiteMode;
}
@Override
public void setSessionId(final HttpServerExchange exchange, final String
sessionId) {
super.setSessionId(exchange, sessionId);
for (final Entry<String, Cookie> entry :
exchange.getResponseCookies().entrySet()) {
final Cookie cookie = entry.getValue();
if (cookie instanceof CookieImpl &&
io.undertow.server.session.SessionCookieConfig.DEFAULT_SESSION_ID
.equalsIgnoreCase(cookie.getName())) {
final CookieImpl undertowCookie = (CookieImpl) entry.getValue();
undertowCookie.setSameSiteMode(sameSite);
}
}
}
}
}
{code}
> Support for Same Site and HSTS
> ------------------------------
>
> Key: MYFACES-4417
> URL: https://issues.apache.org/jira/browse/MYFACES-4417
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 2.3.9
> Environment: Redhat Linux
> Reporter: Andrew Charles Cilia
> Priority: Major
>
> Security Auditors have identified that Session Cookies
> oam.Flash.RENDERMAP.TOKEN and other Myfaces cookies are not handling Same
> Site and HTTP Strict Transport Security. I am unfortunately not knowledgeable
> enough to respond to this athough I have browsed and cannot see any
> references to these security measures in the context of myfaces.
> Is this handled by some version of myfaces?
> If not, is it something that is in the pipeline?
> If not in the pipeline, can I find some explanation somewhere that states
> that it is unnecessary?
>
> Regards
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
