On Thu, Oct 17, 2024 at 2:51 PM John Iliffe <john.ili...@iliffe.ca> wrote:
> I asked a similar question to this two weeks ago but now I have a bit more > information so please > treat this as a new question. > > When one of my screens (at least one) connects to a third-party web site > to pass some data to them I > get warnings from Firefox about the JSSESION cookie not having the correct > samesite attribute. I > think that this cookie is generated by Apache for each session; not by me > as far as I can discover. > How do I add this attribute to an automatically generated cookie? Since > there doesn't seem to be > any non-session related material in the cookie is it really needed to be > passes to the remote server > at all? The error seems to be random in the context that it only pops up > once in a while and not > every time I connect. > > Here is the Firefox entry: > > Cookie “JSESSIONID” will soon be rejected because it is foreign and does > not have the “Partitioned“ > attribute. > Cookie “JSESSIONID” does not have a proper “SameSite” attribute value. > Soon, cookies without the > “SameSite” attribute or with an invalid value will be treated as “Lax”. > This means that the cookie > will no longer be sent in third-party contexts. If your application > depends on this cookie being > available in such contexts, please add the “SameSite=None“ attribute to > it. To know more about the > “SameSite“ attribute, read > https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite > card.html > <https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSitecard.html> > > Thanks. > > John > ====== > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > It sounds like you might be running Tomcat behind Apache HTTP. If so, add (or edit) the <CookieProcessor> element in $CATALINA_BASE/conf/context.xml to read <CookieProcessor sameSiteCookies="none"></CookieProcessor I came across this while developing an HTML/CSS/JavaScript web app that made REST calls to Tomcat site. The Chrome DevTools' console warned: [Deprecation] A cookie associated with a cross-site resource at http://localhost/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592. See: https://developers.google.com/privacy-sandbox/blog/cookie-countdown-2023oct -- "Hell hath no limits, nor is circumscrib'd In one self-place; but where we are is hell, And where hell is, there must we ever be" --Christopher Marlowe, *Doctor Faustus* (v. 111-13)
