[jira] [Updated] (CXF-9072) NewCookieHeaderProvider does not support SameSite attribute on cookies

Fri, 21 Feb 2025 14:51:17 -0800 

     [ 
https://issues.apache.org/jira/browse/CXF-9072?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]
Andriy Redko updated CXF-9072:
------------------------------
    Fix Version/s: 4.0.8
                   3.6.7

> NewCookieHeaderProvider does not support SameSite attribute on cookies
> ----------------------------------------------------------------------
>
>                 Key: CXF-9072
>                 URL: https://issues.apache.org/jira/browse/CXF-9072
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS
>    Affects Versions: 3.5.9, 4.0.5, 3.6.4
>            Reporter: Petr Kadlec
>            Assignee: Andriy Redko
>            Priority: Major
>             Fix For: 4.1.2, 4.0.8, 3.6.7
>
>
> {{ResponseImpl.getCookies}} (which works via {{NewCookieHeaderProvider}}) 
> does not work for cookies using the {{SameSite}} attribute.
> Example:
> {code:java}
> System.out.println(new NewCookieHeaderProvider().fromString("Set-Cookie: 
> sessionId=38afes7a8"))
> System.out.println(new NewCookieHeaderProvider().fromString("Set-Cookie: 
> sessionId=38afes7a8;Comment=none"))
> System.out.println(new NewCookieHeaderProvider().fromString("Set-Cookie: 
> sessionId=38afes7a8;SameSite=none"))
> {code}
> Expected output:
> {quote}
> Set-Cookie: sessionId=38afes7a8;Version=1
> Set-Cookie: sessionId=38afes7a8;Comment=none;Version=1
> Set-Cookie: sessionId=38afes7a8;SameSite=none;Version=1
> {quote}
> Current output:
> {quote}
> Set-Cookie: sessionId=38afes7a8;Version=1
> Set-Cookie: sessionId=38afes7a8;Comment=none;Version=1
> SameSite=none;Version=1
> {quote}
> Note that the SameSite attribute is mistaken for the cookie name and value. 
> (!)
> In addition to explicitly supporting the SameSite attribute, it would be much 
> better if the parser behaved in a forward-compatible manner, at the very 
> least _ignoring_ unknown attributes, or better, keeping them in a general 
> attribute map. (Cf. [Jakarta’s `Cookie` 
> class|https://jakarta.ee/specifications/servlet/6.0/apidocs/jakarta.servlet/jakarta/servlet/http/cookie#getAttributes()].)
>  See also [the current valid Set-Cookie 
> syntax|https://httpwg.org/specs/rfc6265.html#sane-set-cookie].)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to