On Fri, 2024-10-18 at 09:26 -0400, Thad Humphries wrote: > > On Thu, Oct 17, 2024 at 2:51 PM John Iliffe <john.iliffe@xxxxxxxxx> wrote: > > I asked a similar question to this two weeks ago but now I have a bit more information so please > > treat this as a new question. > > > > When one of my screens (at least one) connects to a third-party web site to pass some data to > > them I > > get warnings from Firefox about the JSSESION cookie not having the correct samesite attribute. > > I > > think that this cookie is generated by Apache for each session; not by me as far as I can > > discover. > > How do I add this attribute to an automatically generated cookie? Since there doesn't seem to > > be > > any non-session related material in the cookie is it really needed to be passes to the remote > > server > > at all? The error seems to be random in the context that it only pops up once in a while and > > not > > every time I connect. > > > > Here is the Firefox entry: > > > > Cookie “JSESSIONID” will soon be rejected because it is foreign and does not have the > > “Partitioned“ > > attribute. > > Cookie “JSESSIONID” does not have a proper “SameSite” attribute value. Soon, cookies without the > > “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the > > cookie > > will no longer be sent in third-party contexts. If your application depends on this cookie being > > available in such contexts, please add the “SameSite=None“ attribute to it. To know more about > > the > > “SameSite“ attribute, read > > https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite > > card.html > > > > Thanks. > > > > John > > ====== > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > > > It sounds like you might be running Tomcat behind Apache HTTP. If so, add (or edit) the > <CookieProcessor> element in $CATALINA_BASE/conf/context.xml to read > > > <CookieProcessor sameSiteCookies="none"></CookieProcessor > > I came across this while developing an HTML/CSS/JavaScript web app that made REST calls to Tomcat > site. The Chrome DevTools' console warned: > > > [Deprecation] A cookie associated with a cross-site resource at http://localhost/ was set > > without the `SameSite` attribute. A future release of Chrome will only deliver cookies with > > cross-site requests if they are set with `SameSite=None`. You can review cookies in developer > > tools under Application>Storage>Cookies and see more details at > > https://www.chromestatus.com/feature/5088147346030592. See: > > https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2023oct > No, not Tomcat. This is a pure Apache server situation where the pages are being served in php/html but at one point the response from the browser has to be redirected to another server outside our domain. Basically it is an order entry app where the customer credit card information has to be handled without passing through our server at all so we don't have to be PCIA compliant. Thanks for thinking about the question and for responding. John ====== > -- > "Hell hath no limits, nor is circumscrib'd In one self-place; but where we are is hell, And where > hell is, there must we ever be" --Christopher Marlowe, Doctor Faustus (v. 111-13) --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx