Is there a way to add SameSite=None attribute to JSSESSIONID cookie. I tried to add exists(%{o,Set-Cookie}) and regex(pattern="JSESSIONID", value="%{o,Set-Cookie}") -> set(attribute='%{o,Set-Cookie}', value='%{o,Set-Cookie}; Secure; SameSite=None') in undertow-handlers.conf but it looks like this handler is executed before Set-Cookie: JSESSIONID header is set.
Asked
Active
Viewed 730 times
2
Andrzej Szywała
- 31
- 2
2 Answers
1
I found the solution. It is not very clean but it works. First I've copied three classes from undertow sources.
CookieSameSiteMode.java, SameSiteCookieHandler.java and SameSiteNoneIncompatibleClientChecker.java.
Next I changed setting of sameSiteMode property because implementation of setSameSiteMode throws exception when value is not equal to "lax" or "strict" so I've to use reflection to set field value directly. Next I've added undertow-handlers.conf in META-INF directory with content
samesite-cookie(mode='None', add-secure-for-none=true).
Finally I've added io.undertow.server.handlers.builder.HandlerBuilder file in META-INF/services directory in which I registered my handler. Full example is available on my github
Andrzej Szywała
- 31
- 2
-
Why not submit this to Quarkus as a PR? This would be a valuable enhancement to Quarkus. – Melloware Feb 21 '21 at 15:38
0
If you use quarkus-undertow, you can use a web.xml.
Put it here: src/main/resources/META-INF
See: https://quarkus.io/guides/http-reference#servlet-config
The content can be this to set flags:
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<session-config>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
</web-app>
https://stackoverflow.com/questions/44553017/setting-httponly-and-secure-in-web-xml
iriiko
- 43
- 4