|
Mantis - Resin
|
|||||
| Viewing Issue Advanced Details | |||||
|
|
|||||
| ID: | Category: | Severity: | Reproducibility: | Date Submitted: | Last Update: |
| 6167 | minor | always | 06-23-18 19:15 | 07-12-18 14:22 | |
|
|
|||||
| Reporter: | ferg | Platform: | |||
| Assigned To: | ferg | OS: | |||
| Priority: | normal | OS Version: | |||
| Status: | closed | Product Version: | |||
| Product Build: | Resolution: | fixed | |||
| Projection: | none | ||||
| ETA: | none | Fixed in Version: | 4.0.58 | ||
|
|
|||||
| Summary: | 0006167: cookie-same-site | ||||
| Description: |
(rep by Steffan Busch) But just adding the <cookie-same-site> was not working for our existing ssl-session-cookie: <!-- - For security, set the HttpOnly flag in cookies. --> <cookie-http-only/> + <cookie-same-site>Strict</cookie-same-site> After looking into the Source of AbstractHttpResponse.java I've seen that the Same-Site logic is in a "if (version > 0) {" block. So I have added this: <session-config> <use-persistent-store>false</use-persistent-store> <enable-url-rewriting>false</enable-url-rewriting> + <cookie-version>1</cookie-version> </session-config> which will cause that now there are two Cookie Headers in the Response: Set-Cookie: __Host-SSLJSESSIONID=aaa-ZjfzyD5KS98U2iNqw; Path=/; Secure; Version=1; SameSite=Strict; HttpOnly Set-Cookie2: __Host-SSLJSESSIONID="aaa-ZjfzyD5KS98U2iNqw"; Path="/"; Secure; Version=1; SameSite=Strict; HttpOnly Wouldn't it be possible to have the Same-Site Cookie configuration without the obsolete[1] Set-Cookie2 feature? |
||||
| Steps To Reproduce: | |||||
| Additional Information: | |||||
| Relationships | |||||
| Attached Files: | |||||
| Notes | |||||
|
|
|||||
|
|
||||