Re: How do I add the "samesite" attribute to JSESSION cookie

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2024-10-18 at 09:26 -0400, Thad Humphries wrote:
> 
> On Thu, Oct 17, 2024 at 2:51 PM John Iliffe <john.iliffe@xxxxxxxxx> wrote:
> > I asked a similar question to this two weeks ago but now I have a bit more information so please
> > treat this as a new question.
> > 
> > When one of my screens (at least one) connects to a third-party web site to pass some data to
> > them I
> > get warnings from Firefox about the JSSESION cookie not having the correct samesite attribute. 
> > I
> > think that this cookie is generated by Apache for each session; not by me as far as I can
> > discover.
> > How do I add this attribute to an automatically generated cookie?  Since there doesn't seem to
> > be
> > any non-session related material in the cookie is it really needed to be passes to the remote
> > server
> > at all?  The error seems to be random in the context that it only pops up once in a while and
> > not
> > every time I connect.
> > 
> > Here is the Firefox  entry:
> > 
> > Cookie “JSESSIONID” will soon be rejected because it is foreign and does not have the
> > “Partitioned“
> > attribute.
> > Cookie “JSESSIONID” does not have a proper “SameSite” attribute value. Soon, cookies without the
> > “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the
> > cookie
> > will no longer be sent in third-party contexts. If your application depends on this cookie being
> > available in such contexts, please add the “SameSite=None“ attribute to it. To know more about
> > the
> > “SameSite“ attribute, read
> > https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
> > card.html
> > 
> > Thanks.
> > 
> > John
> > ======
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > 
> > 
> 
> 
> It sounds like you might be running Tomcat behind Apache HTTP. If so, add (or edit) the
> <CookieProcessor> element in $CATALINA_BASE/conf/context.xml to read
> 
> > <CookieProcessor sameSiteCookies="none"></CookieProcessor 
> 
> I came across this while developing an HTML/CSS/JavaScript web app that made REST calls to Tomcat
> site. The Chrome DevTools' console warned:
> 
> > [Deprecation] A cookie associated with a cross-site resource at http://localhost/ was set
> > without the `SameSite` attribute. A future release of Chrome will only deliver cookies with
> > cross-site requests if they are set with `SameSite=None`. You can review cookies in developer
> > tools under Application>Storage>Cookies and see more details at
> > https://www.chromestatus.com/feature/5088147346030592. See:
> > https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2023oct
> 
No, not Tomcat.  This is a pure Apache server situation where the pages are being served in php/html
but at one point the response from the browser has to be redirected to another server outside our
domain.  Basically it is an order entry app where the customer credit card information has to be
handled without passing through our server at all so we don't have to be PCIA compliant.

Thanks for thinking about the question and for responding.

John

======
> -- 
> "Hell hath no limits, nor is circumscrib'd In one self-place; but where we are is hell, And where
> hell is, there must we ever be" --Christopher Marlowe, Doctor Faustus (v. 111-13)


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux