Extensibility of LegacyCookieProcessor?

[Polina Georgieva <po...@gmail.com>]

Hello,



On our Tomcat 8 we are currently using
org.apache.tomcat.util.http.LegacyCookieProcessor and we need to override
its method generateHeader(Cookie cookie, HttpServletRequest request) to
handle sameSite cookie attribute in a custom way. However the
LegacyCookieProcessor class is final (not extensible).



So would you please consider making LegacyCookieProcessor class extensible
just like the other available cookie processor -
org.apache.tomcat.util.http.Rfc6265CookieProcessor?



Thanks and regards,

Polina

Re: Extensibility of LegacyCookieProcessor?

[Polina Georgieva <po...@gmail.com>]

Hi Chris,


> The SameSite attribute should be ignored by browsers that do not support
it. Which browser are you trying to work-around?



You can find more information about the incompatible browsers here:
https://www.chromium.org/updates/same-site/incompatible-clients



>The newer cookie parser is much more strict. Can you be more specific
about what you need?



Thanks for the clarification as this was not clear from the documentation.
We’ve been using the LegacyCookieProcessor quite some time and the switch
to the other processor might be a bit disruptive for our customers but
we’ll consider it for our next major version. Meanwhile do you think
LegacyCookieProcessor could be changed to non final?



Best Regards,

Polina

On Wed, Jan 20, 2021 at 11:45 PM Christopher Schultz <
chris@christopherschultz.net> wrote:

> Polina,
>
> On 1/20/21 04:24, Polina Georgieva wrote:
> >> I'm curious: what customization do you need, here?
> >
> > We’d like to override the generateHeader(Cookie cookie,
> > HttpServletRequest request) because we need to centrally handle the
> > addition of the sameSite cookie attribute of the session cookie as
> > some old browser versions do not support the sameSite cookie
> > attribute. For them the adding of this attribute should be skipped.
>
> The SameSite attribute should be ignored by browsers that do not support
> it. Which browser are you trying to work-around?
>
> >> Why do you need the legacy cookie processor?
> >
> > We use the LegacyCookieProcessor as it is with more strict
> > interpretation of the cookie specifications and provides additional
> > configurations if needed.
>
> The newer cookie parser is much more strict. Can you be more specific
> about what you need?
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Extensibility of LegacyCookieProcessor?

[Christopher Schultz <ch...@christopherschultz.net>]

Polina,

On 1/20/21 04:24, Polina Georgieva wrote:
>> I'm curious: what customization do you need, here?
> 
> We’d like to override the generateHeader(Cookie cookie,
> HttpServletRequest request) because we need to centrally handle the
> addition of the sameSite cookie attribute of the session cookie as
> some old browser versions do not support the sameSite cookie
> attribute. For them the adding of this attribute should be skipped.

The SameSite attribute should be ignored by browsers that do not support
it. Which browser are you trying to work-around?

>> Why do you need the legacy cookie processor?
> 
> We use the LegacyCookieProcessor as it is with more strict
> interpretation of the cookie specifications and provides additional
> configurations if needed.

The newer cookie parser is much more strict. Can you be more specific 
about what you need?

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Extensibility of LegacyCookieProcessor?

[Polina Georgieva <po...@gmail.com>]

Hi Chris,

>I'm curious: what customization do you need, here?

We’d like to override the generateHeader(Cookie cookie, HttpServletRequest
request) because we need to centrally handle the addition of the sameSite
cookie attribute of the session cookie as some old browser versions do not
support the sameSite cookie attribute. For them the adding of this
attribute should be skipped.



>Why do you need the legacy cookie processor?
We use the LegacyCookieProcessor as it is with more strict interpretation
of the cookie specifications and provides additional configurations if
needed.

Thanks and regards,
Polina

Re: Extensibility of LegacyCookieProcessor?

[Christopher Schultz <ch...@christopherschultz.net>]

Polina,

On 1/18/21 08:51, Polina Georgieva wrote:
> On our Tomcat 8 we are currently using
> org.apache.tomcat.util.http.LegacyCookieProcessor and we need to override
> its method generateHeader(Cookie cookie, HttpServletRequest request) to
> handle sameSite cookie attribute in a custom way. However the
> LegacyCookieProcessor class is final (not extensible).

I'm curious: what customization do you need, here?

> So would you please consider making LegacyCookieProcessor class extensible
> just like the other available cookie processor -
> org.apache.tomcat.util.http.Rfc6265CookieProcessor?

Why do you need the legacy cookie processor?

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org