Re: How do I add the "samesite" attribute to JSESSION cookie

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Thu, Oct 17, 2024 at 2:51 PM John Iliffe <john.iliffe@xxxxxxxxx> wrote:
I asked a similar question to this two weeks ago but now I have a bit more information so please
treat this as a new question.

When one of my screens (at least one) connects to a third-party web site to pass some data to them I
get warnings from Firefox about the JSSESION cookie not having the correct samesite attribute.  I
think that this cookie is generated by Apache for each session; not by me as far as I can discover.
How do I add this attribute to an automatically generated cookie?  Since there doesn't seem to be
any non-session related material in the cookie is it really needed to be passes to the remote server
at all?  The error seems to be random in the context that it only pops up once in a while and not
every time I connect.

Here is the Firefox  entry:

Cookie “JSESSIONID” will soon be rejected because it is foreign and does not have the “Partitioned“
attribute.
Cookie “JSESSIONID” does not have a proper “SameSite” attribute value. Soon, cookies without the
“SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie
will no longer be sent in third-party contexts. If your application depends on this cookie being
available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the
“SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
card.html


Thanks.

John
======

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


It sounds like you might be running Tomcat behind Apache HTTP. If so, add (or edit) the <CookieProcessor> element in $CATALINA_BASE/conf/context.xml to read

<CookieProcessor sameSiteCookies="none"></CookieProcessor 

I came across this while developing an HTML/CSS/_javascript_ web app that made REST calls to Tomcat site. The Chrome DevTools' console warned:

[Deprecation] A cookie associated with a cross-site resource at http://localhost/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592. See: https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2023oct

--
"Hell hath no limits, nor is circumscrib'd In one self-place; but where we are is hell, And where hell is, there must we ever be" --Christopher Marlowe, Doctor Faustus (v. 111-13)

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux