0006167: cookie-same-site

Viewing Issue Simple Details [ Jump to Notes ]

[ View Advanced ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0006167

[Resin]

minor

always

06-23-18 19:15

07-12-18 14:22

Reporter

ferg

View Status

public

Assigned To

ferg

Priority

normal

Resolution

fixed

Status

closed

Product Version

Summary

0006167: cookie-same-site

Description

(rep by Steffan Busch)

But just adding the <cookie-same-site> was not working for our existing ssl-session-cookie:

          
          <cookie-http-only/>
+ <cookie-same-site>Strict</cookie-same-site>

After looking into the Source of AbstractHttpResponse.java I've seen that the Same-Site logic is in a "if (version > 0) {" block.
So I have added this:

          <session-config>
            <use-persistent-store>false</use-persistent-store>
            <enable-url-rewriting>false</enable-url-rewriting>
+ <cookie-version>1</cookie-version>
          </session-config>

which will cause that now there are two Cookie Headers in the Response:

Set-Cookie: __Host-SSLJSESSIONID=aaa-ZjfzyD5KS98U2iNqw; Path=/; Secure; Version=1; SameSite=Strict; HttpOnly
Set-Cookie2: __Host-SSLJSESSIONID="aaa-ZjfzyD5KS98U2iNqw"; Path="/"; Secure; Version=1; SameSite=Strict; HttpOnly

Wouldn't it be possible to have the Same-Site Cookie configuration without the obsolete[1] Set-Cookie2 feature?

Additional Information

Attached Files

Relationships

Notes
(0006840) ferg 07-12-18 14:22	server/01em

Issue History
Date Modified	Username	Field	Change
06-23-18 19:15	ferg	New Issue
06-24-18 04:00	stbu	Issue Monitored: stbu
07-12-18 14:22	ferg	Note Added: 0006840
07-12-18 14:22	ferg	Assigned To	=> ferg
07-12-18 14:22	ferg	Status	new => closed
07-12-18 14:22	ferg	Resolution	open => fixed
07-12-18 14:22	ferg	Fixed in Version	=> 4.0.58

Mantis 1.0.0rc3[^]

30 total queries executed.
26 unique queries executed.