How to set SameSite Cookie in Tomcat's Cookie Processor?

Question

Tomcat's context.xml defines CookieProcessor (default LegacyCookieProcessor)

https://tomcat.apache.org/tomcat-9.0-doc/config/cookie-processor.html

I'm trying to add attribute(s) shown on cookie processor, however that doesn't seems to be working

I don't see Tomcat's response header cookie with sameSite attribute being set

Answer 1

In your web application, inside the META-INF folder create a context.xml file with this inside.

<Context>
   <CookieProcessor sameSiteCookies="strict" />
</Context>

If you already have a context.xml file, you just need to add the CookieProcessor element.

This behavior is possible since Tomcat 9.0.21 and 8.5.42, or 9.0.28 and 8.5.48 if you need to set the attribute to "none".

Merged into Tomcat master on 20th of May 2019 with pull request 162

Answer 2

Found answer to this :

1. edit tomcat/conf/context.xml
2. update CookieProcessor element on following lines say for setting SameSiteCookies in HTTP response headers's set-cookie.

<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="strict" />