Enable cross site functionality for a subset of my application

Question

A part of the web application I'm working on is integrated with another web application that I do not have control over. This integration has stopped working with the recent enforcement of the SameSite cookie attribute. For this integration to start working again, my JSESSIONID cookie needs to have the SameSite=None attribute set, as well as Secure (for obvious reasons).

My team and I have decided to let the Apache Server handle this case, which works part of the time.

As a side note, we have also decided to set SameSite=Strict for all cookies, excluding those who should be set to SameSite=None.

This is my cookies.conf, included in my apache2.conf (names replaced with place holders):

Header edit Set-Cookie ^(.*)$ $1;Secure;SameSite=Strict;

<If "%{THE_REQUEST} =~ m#.*\/application-instance\/subset-of-app.*#">
    Header edit Set-Cookie (JSESSIONID.*) $1;Secure;SameSite=None; 
</If>

The first Header directive line works perfectly, as well as the line inside the If-statement, would it be outside the If-statement. What does not work is the expression.

What am I doing wrong here? Is it possible to do this or am I misunderstanding something? Hopefully there's enough information, and that I'm on the right page..

EDIT:

I probably should have mentioned that I can successfully set the cookie to "SameSite=None" for whole instances of the application, like so:

<If "%{THE_REQUEST} =~ m#.*\/application-instance.*#">
    Header edit Set-Cookie (JSESSIONID.*) $1;Secure;SameSite=None; 
</If>

Also, I know my regex for the subset of the app works since these lines actually create a new JSESSIONID-cookie with the same name and value, but with SameSite=None, only available for the specified path:

<If "%{THE_REQUEST} =~ m#.*\/application-instance\/subset-of-app.*#">
    SetEnvIf Cookie "(^|;\ *)JSESSIONID=([^;\ ]+)" JSESSIONID_VALUE=$2
    Header always set Set-Cookie JSESSIONID=%{JSESSIONID_VALUE}e;Secure;SameSite=None;Path=/application-instance/subset-of-app.page;
</If>

I'm not very confident in that this is the correct way to solve this problem, as having two JSESSIONID-cookies might give inconsistent results in the third party app..

Andrew Schulman · Answer 1 · 2020-11-10T11:40:37.433

0

It looks to me as though at /application-instance/subset-of-app, both rules should be firing, so you're setting the cookie:

JSESSIONID=...;Secure;SameSite=Strict;Secure;SameSite=None;

Since SameSite is being set twice to different values, could that be confusing clients? So maybe instead you want:

Header edit Set-Cookie ^(.*)$ $1;Secure;SameSite=Strict;
<If "%{THE_REQUEST} =~ m#.*\/application-instance\/subset-of-app.*#">
    Header edit Set-Cookie (JSESSIONID.*);SameSite=Strict; $1;SameSite=None; 
</If>

You can examine the Set-Cookie response header values by using curl -sv or your browser's development tools, which may help you figure out what's going on.

edited Nov 10 '20 at 11:40

answered Nov 09 '20 at 15:35

Andrew Schulman

8,811
21
32
47

Thanks for the answer! This did not work for me unfortunately, though it sure looks like this would affect my results. Is there a way to view all the attributes set to the cookie? – Anton Wahlberg Nov 10 '20 at 11:30
Added to the answer. Good luck. – Andrew Schulman Nov 10 '20 at 11:40

Enable cross site functionality for a subset of my application

1 Answers1