LegaSuite & API

Expand all | Collapse all

Setting SameSite attribute

  • 1.  Setting SameSite attribute

    Posted 09-22-2020 11:04
    Does anyone know how to set SameSite = "Strict" to JSESSIONID cookie in TomCat 9_0_13?  Thanks





    ------------------------------
    Peter Cheng
    E2open
    ------------------------------


  • 2.  RE: Setting SameSite attribute

    Posted 10-16-2020 12:12
    Hi Peter,

    I know that it is possible to modify the context.xml for Tomcat for SameSite Cookies.
    I am investigating this further.

    Thanks, Sarah

    ------------------------------
    Sarah Gerards-Gilbert
    Rocket Software
    ------------------------------



  • 3.  RE: Setting SameSite attribute

    Posted 10-29-2020 17:58
      |   view attached
    Hi Peter,

    I have been investigating and have not been able to find the solution for this for Tomcat 9.0.13.
    It looks like the functionality for setting the samesite cookies is available from Tomcat 9.0.21 and higher, however.
    In this version you can generate a context.xml file, which should be saved to the webapps/<appname>/META-INF folder.  I have attached an example.

    Please let me know if you have any additional questions.

    Thanks, Sarah

    ------------------------------
    Sarah Gerards-Gilbert
    Rocket Software
    ------------------------------

    Attachment(s)

    xml
    context.xml   108 B 1 version


  • 4.  RE: Setting SameSite attribute

    Posted 11-04-2020 14:58
    Hi Sarah,

    That's exactly what I have on my Context.xml, this file was manually created, not generated.

    Does it work for you on "Tomcat 9.0.13"?

    ------------------------------
    Peter Cheng
    E2open
    ------------------------------



  • 5.  RE: Setting SameSite attribute

    Posted 11-04-2020 16:58
    Hi Peter,

    I manually created (generated was a poor choice of words) the context.xml too.  I tried it on 9.0.37, where it worked, and 9.0.13, where it was ignored.
    As far as I can currently determine a global same-site cookie setting in the default Rfc6265CookieProcessor was introduced in Tomcat 9.0.21 and backported to Tomcat 8.5.41.  It's not available in 9.0.13.
    There may be options for securing the samesite cookie in Apache Web Server and using it in front of Tomcat.  I believe there are a number of articles online for doing this.  Or an alternative may be to upgrade your version of Tomcat, when this is a viable option.

    Thanks, Sarah


    ------------------------------
    Sarah Gerards-Gilbert
    Rocket Software
    ------------------------------