-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 11/8/19 11:53, Mark Thomas wrote: >> All, >> >> I'm looking at using "samesite" cookies within my application. >> It looks as simple as setting the "sameSite" attribute >> appropriately on the CookieProcessor for the <Context>, which >> isn't there in a default configuration. So you just have to add >> it: >> >> <Context [...]> >> >> <CookieProcessor sameSiteCookies="lax" /> >> >> </Context> >> >> Cool, now my JSESSIONID cookies are coming back with the >> SameSite=Lax parameter. >> >> But it also applies to all the other cookies my application >> creates. It looks like there is no way to set/reset this >> parameter on an individual-cookie basis. That would require a >> change to the Servlet API, right? > > That would be one way to implement it - and then the app would have > to (un)set it. > > Per Cookie configuration in CookieProcessor would be another way. > I haven't thought about how that might be implemented though. It seems that there are enough cookie parameters that the servlet spec doesn't support[1], it might not be a bad idea to propose two new methods to be added to the Cookie class: public void setAttribute(String name, String value); public String getAttribute(String name); Then, if e.g. SameSite isn't directly supported by the Cookie APi, applications can still: Cookie cookie = new Cookie("my_cookie"); cookie.setAttribute("SameSite", "Strict"); // or null >> I'm okay with SameSite being applied to ALL my cookies, but maybe >> not everybody is. Are there any workarounds for this? > > Manually write your own cookie header. Duh. Of course that will work :) - -chris [1] https://scotthelme.co.uk/tough-cookies/ -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3FozMACgkQHPApP6U8 pFhuEBAAoGIEgFDoFfyKH85SySn/7GZEbw0EoM0lPL/09Hm9EiL4n00FBYRy/AiA inSubQExqG+3iaNIXcBn/mQgAetCNOxXjNKeEvmcO9ljYLGAoExkqHomCSkMFEZL AFNSei3+fYK4DHCciKKIC7n/IDbMCDxT8XM8or1rF0efvIyGa4leI9xZqew8yKjs 1/OnhsjvnLsctL/5NkBJkJF49W3Qk7Owl7tThyprqQjwnslGCXgm0gHL+/9JKERX XSxlbsNTGgMAkx0tQU+jRPrO+nPC0FgotE8TZ7lVrpv65eMZ/hf7t7YaYlGWeaJl EZPg8Uoigwze9vK3+C48z0ynHaBMPa/boLHfsxxgIdNGN0ouHrvFndVAzfvR9Rlk jlmoWaAYzTqKUevosOE5sXHdlh0sHsv/DxB2DxT2v1FHiqZ2p7dyEWCzpa+BxovO R7Ezj9l3ecVZkcmQn8UHT9nX3MZcCvjVf/EDYbiZS+TI6pq8PfMw8o5d+NO1JDIn RtQ3mlJ7pUaqRK6+ItAGQssL9gSlUhcK/wyqXyaSCOx61eWxeKzo66YmOMi7bflV Tz72DkSH/5Ml6AgMLiVBYA9qBtcApjMhHKYlZ+h/i2S+qKgATs8vTEfF3WZQWcV/ Eg05iDha/DpM5gcFzTewMhtNn/Hb+eR5UWHN6ogcY/YZ9qHwpx0= =Ps3/ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org