Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SameSite flag on Jetty session cookies

Tags:

session-cookies

jetty

How can I add the flag SameSite=Lax or SameSite=Strict to session cookies generated by Jetty if I am using it to host war files?

like image 548
Dr.Haribo Avatar asked Feb 18 '17 19:02

Dr.Haribo

People also ask

Is SameSite supported cookie flag?

Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers. The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context.

How do I set the SameSite attribute of cookies?

Android System WebView To prepare, Android allows native apps to set cookies directly through the CookieManager API. You must declare first party cookies as SameSite=Lax or SameSite=Strict , as appropriate. You must declare third party cookies as SameSite=None; Secure .

How do you set a SameSite flag?

Enable the new SameSite behavior If you are running Chrome 91 or newer, you can skip to step 3.) Go to chrome://flags and enable (or set to "Default") both #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure. Restart Chrome for the changes to take effect, if you made any changes.

How do you set the same site cookie flag in spring boot?

From spring boot version 2.6. + you may specify your samesite cookie either programatically or via configuration file. This should be the answer for 2022. Upper will cause Spring to bind the attribute into org.

2 Answers

Starting with Jetty 9.4.23, you can specify the desired SameSite value for JSESSIONID cookie set by Jetty in web.xml file of your web app like this:

<session-config>
    <cookie-config>
        <comment>__SAME_SITE_STRICT__</comment>
    </cookie-config>
</session-config>

Other possible values are __SAME_SITE_LAX__ and __SAME_SITE_NONE__.

See issue #4247 in Jetty for details.

like image 87
izstas Avatar answered Sep 20 '22 07:09

izstas

I'm using Jetty 6.1.19 version, As Jetty doesn't support the SameSite attribute in Cookies. Jetty also provided some support/workaround for SameSite its lastest version of Jetty 9.*. I figure out a workaround of Jetty 6.1.19 version I have added the below line of code in Jetty API, Change in method name addSetCookie of class HttpFields. It is worked for me.

buf.append(";SameSite=Strict");

API code:

enter image description here

like image 27
jatin Goyal Avatar answered Sep 18 '22 07:09

jatin Goyal
Sign in to Comment

Related questions

Good Web Server/Servlet Container for Clojure Web Apps?
Confiigure JVM setting in Jetty standalone server
Does Jetty have requests cache?
Google Guice & Jersey multiple URL patterns to same servlet while applying package filtering
Embedded Jetty and SOAP
Jetty require SSL client certificate by URL
Jetty Embedded, Jersey 2, Weld
Tapestry 5.3 tutorial and Eclipse Kepler : RegistryStartup service can't be loaded
Servlet UnavailableException:No class in holder while starting jetty
How to enable CachingWebAppClassLoader in Jetty Maven Plugin?
Getting “x-amzn-Remapped-WWW-Authenticate instead of WWW-Authenticate and jetty client not able to recognise
Jetty Servlet does not run -- getting directory listing instead
Integration tests wouldn't start (Failsafe, Maven)
org.mortbay.jetty.EofException gets thrown when writing to response
Cause of 'tmpFile.renameTo(classFile)' during JSP compilation
Embedded Jetty: In secure https server, ContextHandler redirects to http URI
Jenkins stop serving static files after a couple of days
How to enable GZIP for Jetty 9
Integration Testing DropWizard Apps
Jetty HTTP/2 client receive server push example

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!