By the way, there is something wrong with the response headers you posted: there are two Set-Cookie headers for different paths, and the one for root has an empty session id - you must have some code that is explicitly setting this.
Jan On Thu, 15 Jul 2021 at 11:50, Jan Bartel <[email protected]> wrote: > I can't reproduce this using the standard jetty distro and the standard > test webapp that just creates a session via > HttpServletRequest.getSession(true), and the web.xml snippet you provided. > I tried both 9.4.38 and the latest release and both result in a response > with the correct Set-Cookie: > > Content-Length: 0 > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Location: > http://localhost:8080/test/session/;jsessionid=node01ggldqpcbwnmpvb21biv2gceb0.node0?R=0 > Server: Jetty(9.4.38.v20210224) > Set-Cookie: visited=yes > Set-Cookie: JSESSIONID=node01ggldqpcbwnmpvb21biv2gceb0.node0; Path=/test; > Secure; HttpOnly; SameSite=Strict > > Some questions for you: > > Are you sure you don't have any code that would interfere with the > setCookie? > Are you setting this web snippet in a web.xml, or a web-fragment.xml or a > web-override.xml? > Is this response being generated directly from jetty or is this via some > other middleware that fonts it (apache, haproxy etc etc?)? > When is this session created? Is it created by your code, or is it created > by jetty implicitly via a form login? > Did a session already exist when the form login occurred? > > Jan > > On Thu, 15 Jul 2021 at 04:02, Sai Sankar Challa via jetty-users < > [email protected]> wrote: > >> Sorry for snipped images. >> >> >> >> *Here is the configuration added in web.xml* >> >> >> >> <session-config> >> >> <cookie-config> >> >> <http-only>true</http-only> >> >> <secure>true</secure> >> >> <comment*>__SAME_SITE_STRICT__*</comment> >> >> </cookie-config> >> >> </session-config> >> >> >> >> >> >> *Response Headers* >> >> HTTP/1.1 200 OK >> >> Content-Type: text/html;charset=utf-8 >> >> Set-Cookie: JSESSIONID=node0u99zpkbrxegr59fnxzac8m217.node0; >> Path=/dashboard; Secure; HttpOnly >> >> Expires: Thu, 01 Jan 1970 00:00:00 GMT *//Here expecting SameSite to be >> returned* >> >> Set-Cookie: JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; >> Max-Age=0 >> >> X-Frame-Options: DENY >> >> Referrer-Policy: same-origin >> >> X-Content-Type-Options: nosniff >> >> X-XSS-Protection: 1; mode=block >> >> Content-Security-Policy: default-src 'self' https:; script-src 'self' >> 'sha256-jLiclQuK1N1QZInVr4VJp6uKckK7+/GGsba4nme+PRA=' >> 'sha256-WcSfBbTthoIIuIdlLvU5spxO2l32y5Nw3Oh4jk4VnBY='; object-src 'self'; >> style-src 'self' 'unsafe-inline'; img-src 'self' data:; media-src 'self'; >> frame-src 'self'; font-src 'self'; connect-src 'self' >> >> Strict-Transport-Security: max-age=31536000; includeSubDomains >> >> Content-Length: 3737 >> >> >> >> Thanks >> >> Sai >> >> >> >> *From:* Joakim Erdfelt <[email protected]> >> *Sent:* Wednesday, July 14, 2021 10:46 PM >> *To:* Sai Sankar Challa <[email protected]> >> *Cc:* JETTY user mailing list <[email protected]> >> *Subject:* Re: [jetty-users] SameSite to STRICT >> >> >> >> You are using browser developer tooling. >> >> >> >> What does the raw HTTP Response (that sets the JSESSIONID) look like? >> >> As in, can you copy/paste the response, in raw form (not in a table, not >> post-parsed, not as an image) to this mailing list? >> >> >> Joakim Erdfelt / [email protected] >> >> >> >> >> >> On Wed, Jul 14, 2021 at 11:34 AM Sai Sankar Challa < >> [email protected]> wrote: >> >> Thanks for the response. >> >> >> >> I am assuming this done by Jetty Server. >> >> >> >> The URL we are trying is the very first URL i.e., login page, post login >> we do have filter classes where we are doing some modifications. >> >> >> >> Thanks >> >> Sai >> >> >> >> >> >> *From:* Joakim Erdfelt <[email protected]> >> *Sent:* Wednesday, July 14, 2021 9:49 PM >> *To:* JETTY user mailing list <[email protected]> >> *Cc:* Sai Sankar Challa <[email protected]> >> *Subject:* Re: [jetty-users] SameSite to STRICT >> >> >> >> What does the actual HTTP Response that created that JSESSIONID look like? >> >> >> Joakim Erdfelt / [email protected] >> >> >> >> >> >> On Wed, Jul 14, 2021 at 11:07 AM Sai Sankar Challa via jetty-users < >> [email protected]> wrote: >> >> Hi Team >> >> >> >> We upgraded our Jetty version to 9.4.38.v20210224 and we want to Set >> 'SameSite' attribute to 'Strict' in JSESSIONID for our portal security . >> >> >> >> We made the code changes as per below in our web.xml and still not seeing >> any difference. >> >> >> >> <session-config> >> >> <cookie-config> >> >> <http-only>false</http-only> >> >> <secure>false</secure> >> >> <comment>__SAME_SITE_STRICT__</comment> >> >> </cookie-config> >> >> </session-config> >> >> >> >> Browser Cookie >> >> >> >> >> >> Can you please through some idea to get this done . >> >> >> >> Thanks >> >> Sai >> >> >> >> >> >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-users >> >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-users >> > > > -- > Jan Bartel <[email protected]> > www.webtide.com > *Expert assistance from the creators of Jetty and CometD* > > -- Jan Bartel <[email protected]> www.webtide.com *Expert assistance from the creators of Jetty and CometD*
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
