I would want to add the Same-site cookie attribute to the cookie I'm using in a Tomcat web app, to add the HttpOnly attribute it was enough adding the following definition in the web.xml file :
<session-config>
<session-timeout>240</session-timeout>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
What about the Same-site attribute? Is it possible to set it in the same way as the http-only, like : <same-site>true</same-site>
?
A definition of the Same-site cookie :
Same-site cookies (née "First-Party-Only" (née "First-Party")) allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.
Enable the new SameSite behavior If you are running Chrome 91 or newer, you can skip to step 3.) Go to chrome://flags and enable (or set to "Default") both #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure. Restart Chrome for the changes to take effect, if you made any changes.
web. xml is a Tomcat configuration file that stores application configuration settings. It is recommended that access to this file properly protect from unauthorized changes. Rationale: Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat's security policy.
In Tomcat, the Context Container represents a single web application running within a given instance of Tomcat. A web site is made up of one or more Contexts. For each explicitly configured web application, there should be one context element either in server. xml or in a separate context XML fragment file.
The options for the web.xml
configuration file are defined in the Java Servlet Specification. This file does not support options for including the SameSite
in the cookies.
If you wanna add the SameSite
option to the cookies in your application, you can configure the Tomcat Cookie Processor (the CookieProcessor
) in the META-INF/context.xml
.
<?xml version="1.0" encoding="UTF-8"?>
<Context>
<!-- Add SameSite to the cookies -->
<CookieProcessor
sameSiteCookies="none" />
</Context>
NOTE: This configuration may fail in older versions of Tomcat. Apparently, these options work well if you use, at least, Tomcat 8.5.48 or 9.0.28. For older versions, there are some workarounds you may check.
You may try some web filters that implement this behaviour. For instance, you may check the IdP SameSite Session Cookie Filter.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With