-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Lazar,
On 1/30/20 12:25 PM, Lazar Kirchev wrote: > The problem is that I cannot make it from within the application. I > have no control on the application, only on the server, so I have > to be able to set the cookie either in a server configuration or in > a component which will reside in the server. It's not clear to me what you mean by "server". Usually, the application runs on the server, so if you only have control of the server... you have control of the application. > I am concerned particularly with the SameSite attribute of the > JSESSIONID cookie because of the new behavior of Chrome 80 - > https://www.chromestatus.com/feature/5088147346030592 What is your specific concern? > I was considering to have a valve which modifies the Set-Cookie > header. But I if the application flushes the output stream the > headers will be written to the socket and the valve will not have > the chance to modify the cookie. You can use a <Valve> which can intercept the calls to setHeader(), etc. to correct the header value. Which cookie are you trying to modify? - -chris > On Tue, Jan 28, 2020 at 5:27 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > John, > > On 1/27/20 9:37 AM, John Dale wrote: >>>> Over the years I found it more productive to manage my own >>>> headers for the most part. >>>> >>>> The key for us has been keeping the code clean and >>>> manageable. > > +1 > > But there isn't any reason not to use Tomcat's header parsing. If > you have anything that could be considered odd, you should encode > it in a safe way that doesn't require that you play other games > with the cookie value. > > For example, base64 encoding a cookie value should make it > header-safe, as long as you make sure to use a base64 encoder that > doesn't add newlines. > > -chris > >>>> On 1/27/20, Lazar Kirchev <lazar.kirc...@gmail.com> wrote: >>>>> Hello, >>>>> >>>>> In Tomcat >= 8 there is the CookieProcessor in which >>>>> cookie configurations could be made, including for SameSite >>>>> cookie. Is there any way to configure this in Tomcat 7? Or >>>>> the only way is to configure it manually in code? >>>>> >>>>> Kind regards, Lazar >>>>> >>>> >>>> ------------------------------------------------------------------- - -- >>>> >>>> > >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: >>>> users-h...@tomcat.apache.org >>>> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl40T9gACgkQHPApP6U8 pFhtmxAAgbipkJUvbAl5RkPw0/F2jXhUD03TRqD1fouMaVDWx+FcbhbMXxcrYQpA XYvkRZKj2xbpaKz1Kmy0dSTwBTlJU2ZC8/ZosxGC8c0MBqXyEgxdC0/1zPN0u03j Oa/L8nl+MNlHcA9OFtj8JoDg3VQmoJ86wsqNGtVEJa6M6lJoxnPLp7asFbJwWjGR jHqG6kbeDZFvuJbZ1KraKntPA4bYB3tutil5QBzVhu/jb7gn7pXnZW24Jxk/Qg5p vufLshRUsBfhHqSTw1GBiDlzcNmvZov2ZNfj92wVqiofu82/AKVjmWJ/n3ogie12 boxX29Jkbir2k6+/Pd4VquAxNTxdLYliENhNsvWuMTclRf1vzszt2WL7C/lwn25S EOWVTLTiujxHt6kzj/1tFlhpnijF+MNCulD8LuZ/IX4hEP+eqb0Dk+B/87yYRlA/ UkigrhgRb0+ooMijewnjBy67mZl1Hdgim193DKrt89fjRKbLo8TAW6nLRzcnNKdu BzzewqW7L2WHwHnt+v05s38yCw+hUkqxqBh8Vfw68EmQQAXmMQsF+lp5By//2g+X LWth0k0YjuYU+JcROKr/VSfByBs5VnveuNctQEZmxfqO6s8DjnrsfQdz6FnOZ9xd 2QuRWjgUjKMFB8j+V9z+pC6C5fjN+YP/c4LXO+KMQ5KwJh5YksQ= =cHov -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
