Adam,
On 11/15/23 09:06, Adam Warfield wrote:
The Rfc6265CookieProcessor supports setting the SameSite cookie
attribute but starting in 2024, browsers will begin enforcing the
newer "Partitioned" attribute for third-party cookies.
Is there a way to set this attribute within Tomcat for things like the
JSESSIONID and XSRF-TOKEN cookies?
Wait... are you using cookies for CSRF tokens? That doesn't really
provide much protection. Your CSRF cookie will be transmitted along with
any request, even "forged" requests.
Are you responsible for the primary web application, here, or are you
responsible for a third-party site such as an advertiser, back-end
service, etc.?
This affects any webapps that are embedded within iframes across
domains where those cookies will be rejected if not partitioned.
If you migrate to Tomcat 10.1 or later (with Jakarta Servlet APIs),
there is Cookie.setAttributeString name, String value)[1]
If you cannot upgrade to Tomcat 10 in time, then you can simply resort
to setting the headers directly:
response.addHeader("Set-Cookie", "XSRF-TOKEN=foo; Partitioned");
-chris
[1]
https://jakarta.ee/specifications/servlet/6.0/apidocs/jakarta.servlet/jakarta/servlet/http/cookie#setAttribute(java.lang.String,java.lang.String)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
