0006167: cookie-same-site

Viewing Issue Advanced Details [ Jump to Notes ]

[ View Simple ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0006167

[Resin]

minor

always

06-23-18 19:15

07-12-18 14:22

Reporter

ferg

View Status

public

Assigned To

ferg

Priority

normal

Resolution

fixed

Platform

Status

closed

Projection

none

OS Version

ETA

none

Fixed in Version

4.0.58

Product Version

Product Build

Summary

0006167: cookie-same-site

Description

(rep by Steffan Busch)

But just adding the <cookie-same-site> was not working for our existing ssl-session-cookie:

          
          <cookie-http-only/>
+ <cookie-same-site>Strict</cookie-same-site>

After looking into the Source of AbstractHttpResponse.java I've seen that the Same-Site logic is in a "if (version > 0) {" block.
So I have added this:

          <session-config>
            <use-persistent-store>false</use-persistent-store>
            <enable-url-rewriting>false</enable-url-rewriting>
+ <cookie-version>1</cookie-version>
          </session-config>

which will cause that now there are two Cookie Headers in the Response:

Set-Cookie: __Host-SSLJSESSIONID=aaa-ZjfzyD5KS98U2iNqw; Path=/; Secure; Version=1; SameSite=Strict; HttpOnly
Set-Cookie2: __Host-SSLJSESSIONID="aaa-ZjfzyD5KS98U2iNqw"; Path="/"; Secure; Version=1; SameSite=Strict; HttpOnly

Wouldn't it be possible to have the Same-Site Cookie configuration without the obsolete[1] Set-Cookie2 feature?

Steps To Reproduce

Additional Information

Attached Files

Relationships

Notes
(0006840) ferg 07-12-18 14:22	server/01em

Issue History
Date Modified	Username	Field	Change
06-23-18 19:15	ferg	New Issue
06-24-18 04:00	stbu	Issue Monitored: stbu
07-12-18 14:22	ferg	Note Added: 0006840
07-12-18 14:22	ferg	Assigned To	=> ferg
07-12-18 14:22	ferg	Status	new => closed
07-12-18 14:22	ferg	Resolution	open => fixed
07-12-18 14:22	ferg	Fixed in Version	=> 4.0.58

Mantis 1.0.0rc3[^]

30 total queries executed.
26 unique queries executed.