Hello
Unfortunately you can't disable sessions entirely in Pax Web. Session (and
security) support is added by default for all (Jetty, Tomcat, Undertow)
runtimes.
Same for additional elements of the session cookie. Pax Web maps this
web.xml configuration for session cookie:
<cookie-config>
<name>token</name>
<domain>token</domain>
<path>token</path>
<comment>token</comment>
<http-only>true</http-only>
<secure>true</secure>
<max-age>100</max-age>
</cookie-config>
And you can configure these using the org.ops4j.pax.web PID:
- org.ops4j.pax.web.session.cookie.name
- org.ops4j.pax.web.session.cookie.domain
- org.ops4j.pax.web.session.cookie.path
- org.ops4j.pax.web.session.cookie.comment
- org.ops4j.pax.web.session.cookie.httpOnly
- org.ops4j.pax.web.session.cookie.secure
- org.ops4j.pax.web.session.cookie.maxAge
even from javax.servlet.http.Cookie API point of view, I don't see anything
related to SameSite...
BUT!
I just found something I wasn't aware of. For Jetty, I see this code:
public static SameSite getSameSiteFromComment(String comment) {
if (comment != null) {
if (comment.contains("__SAME_SITE_STRICT__")) {
return HttpCookie.SameSite.STRICT;
}
if (comment.contains("__SAME_SITE_LAX__")) {
return HttpCookie.SameSite.LAX;
}
if (comment.contains("__SAME_SITE_NONE__")) {
return HttpCookie.SameSite.NONE;
}
}
return null;
}
So it should be enough (for Jetty) for you to add a cookie comment with
"__SAME_SITE_STRICT__".
pax-web-tomcat uses by default
org.apache.tomcat.util.http.Rfc6265CookieProcessor, but its
"sameSiteCookies" defaults to "unset" and it's not handled in Pax Web.
in pax-web-undertow there's special
io.undertow.server.handlers.SameSiteCookieHandler which could be configured
as extra handler in (Karaf) etc/undertow.xml.
But I agree - there should be a unified way to support SameSite attribute
of session cookie.
I've created https://github.com/ops4j/org.ops4j.pax.web/issues/1727 to
track this issue in Pax Web 8.
regards
Grzegorz Grzybek
czw., 16 cze 2022 o 14:32 Oliver Fürniß <[email protected]>
napisał(a):
> Hi,
>
> I'm using Karaf 4.3.7, pax-web 7.3.25 (Jetty) and CXF 3.5.2
>
> Is it somehow possible to append a SameSite=[None|Lax|Strict] attribute to
> the default Cookie "JSESSIONID" or to disable it at all?
>
> IS:
> JSESSIONID=node010lhb2y6ihrdb13l2ip7p4ihdb4.node0; Path=/; HttpOnly
>
> SHOULD:
> JSESSIONID=node010lhb2y6ihrdb13l2ip7p4ihdb4.node0; Path=/; HttpOnly;
> SameSite=Strict
>
> All the best
> Oliver
>
> --
> --
> ------------------
> OPS4J - http://www.ops4j.org - [email protected]
>
> ---
> You received this message because you are subscribed to the Google Groups
> "OPS4J" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ops4j/4fc23707-f9c6-4ae0-af1e-d7ee5af07237n%40googlegroups.com
> <https://groups.google.com/d/msgid/ops4j/4fc23707-f9c6-4ae0-af1e-d7ee5af07237n%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
--
------------------
OPS4J - http://www.ops4j.org - [email protected]
---
You received this message because you are subscribed to the Google Groups
"OPS4J" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ops4j/CAAdXmhqRq0J%3D%3Dcp%3Dxh3TGO6m%2BzLnoPCjChd-zn%2BBG5QgJ%2BwkQg%40mail.gmail.com.
