Setting samesite attribute on JSESSIONID

[David Cleary <da...@progress.com>]

Have a customer asking about this. I see Tomcat supports it here. https://tomcat.apache.org/tomcat-9.0-doc/config/cookie-processor.html

We currently use defaults, so I'm looking for an XML fragment and the file it goes in to add the samesite attribute to the JSESSIONID. I'm assuming they want it globally for all webapps.

Thanks
Dave

RE: Setting samesite attribute on JSESSIONID

[David Cleary <da...@progress.com>]

On 10/10/19 14:08, David Cleary wrote:
> Have a customer asking about this. I see Tomcat supports it here.
> https://tomcat.apache.org/tomcat-9.0-doc/config/cookie-processor.html
> .apache.org
>
>
>
We currently use defaults, so I'm looking for an XML fragment and
> the file it goes in to add the samesite attribute to the JSESSIONID. 
> I'm assuming they want it globally for all webapps.

>What have you tried already?

To paraphrase Maxwell Smart, "Missed it by that much". Our shipping version is at 9.0.20, so the warnings about unknown attribute are expected.

Thanks
Dave


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Setting samesite attribute on JSESSIONID

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dave,

On 10/10/19 14:08, David Cleary wrote:
> Have a customer asking about this. I see Tomcat supports it here.
> https://tomcat.apache.org/tomcat-9.0-doc/config/cookie-processor.html
>
>
>
We currently use defaults, so I'm looking for an XML fragment and
> the file it goes in to add the samesite attribute to the
> JSESSIONID. I'm assuming they want it globally for all webapps.

What have you tried already?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2fdcEACgkQHPApP6U8
pFjgrQ/6A6MaxzldDfEmTLEejDJ4uv8q2uqwSa4F4s//bTa2Lp9vTcJd5Krkv/8W
GtELeEjSj16Xuk9Je9ue1/AKVxYFvxAPW1Z8vsPj2GRIytj9vcMp8tkavPq6nonj
F365HNTBa75oDDwxYZboirq2846YMBqLPPWRiVRS5JBJISzlhHvWp5+Pa8fyVZaA
mKnR1VlZgflzYUvSwwtsnYDE2r3iNYPGYwHXCBnGJFcpM9DLPK4Yho7LAM87jIjn
ljYytsZRwLZQIw48DfyB4GAYWEglr9vGGrEqDTOX7rDbln18MnxI8rzn7oOr4CvX
EOsLPy3Cxb3M8F+jSdvzCcB4FTwerfaEvu88lnQLrBtauhWs2D06YCukQT/ITCWV
WZSN4g3eBThP/Uz9ju2QKkKsDPNLSgk+dXtVQGvpoIi27AEm5GkVbTGJbGMr6OMj
4q8Jw+DlYO5eIkk8tlQLDQXno5OSCXqSuA++VWs9FzwpFaCY4r4hlPopi4NYGFOt
bgXmfMHGdh+VFXNnJyzGuPUOWhuY3kj4rIs5KlwoFjPdKOBj5R+dT21f0OnFVoM+
QvdwkLNF1sIWBu7yBsyqJ+gUgr8Z9tKSHV3Ye7JqB7dJ1gpl3pPe+TRYHuD1aDWR
X+Yie7xUbdOgQuer4a+Kpcytfy+LxPVUl1oKTX1ReKyyn4eXFLE=
=lIGD
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Setting samesite attribute on JSESSIONID

[Thad Humphries <th...@gmail.com>]

On Thu, Oct 10, 2019 at 2:08 PM David Cleary <da...@progress.com> wrote:

> Have a customer asking about this. I see Tomcat supports it here.
> https://tomcat.apache.org/tomcat-9.0-doc/config/cookie-processor.html
>
> We currently use defaults, so I'm looking for an XML fragment and the file
> it goes in to add the samesite attribute to the JSESSIONID. I'm assuming
> they want it globally for all webapps.
>

After Christopher Schultz pointed me in the right direction, I added the
following line to $CATALINA_BASE/conf/context.xml

<CookieProcessor sameSiteCookies="none"></CookieProcessor>

This allowed my JAMstack app to set a JSESSIONID from a REST app running
under Tomcat on a different server.

-- 
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we
are is hell, And where hell is, there must we ever be" --Christopher
Marlowe, *Doctor Faustus* (v. 111-13)