Hi Luis, Thanks for the information.
My question is mainly whether the changes in context.xml will impact the web application, which is not deployed in the Tomcat. From Mark reply, I understood that the changes in context.xml will impact the web application even though it is not deployed in Tomcat. Regards, Abirami.S -----Original Message----- From: Luis Rodríguez Fernández <uo67...@gmail.com> Sent: Tuesday, June 9, 2020 12:33 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Regarding context.xml changes impact other web service not deployed Hello Abirami, Well, strict does what it promises, so if those third-party rest services were expecting some cookies that now are not being sent by the browser, it is normal that they do not work as expected. Internal implementation: sure! You can always have a look at the code of the different CookieProcessors [1] & [2] Hope it helps, Luis [1] https://protect2.fireeye.com/v1/url?k=05de6036-5b7ea273-05de20ad-86b568293eb5-4944602a8cd168fc&q=1&e=1f87817f-d293-4635-8855-bd59ff97ee4b&u=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fblob%2Ff3c9fdd40bdbc3dc22b512596954e2bc6d424d5a%2Fjava%2Forg%2Fapache%2Ftomcat%2Futil%2Fhttp%2FRfc6265CookieProcessor.java [2] https://protect2.fireeye.com/v1/url?k=1f48aa13-41e86856-1f48ea88-86b568293eb5-6b24c935f0126d6d&q=1&e=1f87817f-d293-4635-8855-bd59ff97ee4b&u=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fblob%2F623b2c9d0997481f1c5229135fa2f92e24303e47%2Fjava%2Forg%2Fapache%2Ftomcat%2Futil%2Fhttp%2FLegacyCookieProcessor.java El mar., 9 jun. 2020 a las 7:59, S Abirami (<s.abir...@ericsson.com.invalid>) escribió: > Hi Team, > > In our product to address security vulnerability in context.xml, > we have introduced following entry > > <CookieProcessor sameSiteCookies="strict" /> > > > After introducing the above line, I noticed few rest service which is > not deployed in that Tomcat also getting impact. > > Deployment Details > > Deployed : RHEL > Tomcat Installation format : tar.gz > > Hence, interested to know about the internal implementation of the > context in Tomcat to understand the impact. > > Thanks in advance for the support. > > Regards, > Abirami.S > > > > > > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett
