SameSite cookies

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

SameSite cookies

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

I'm looking at using "samesite" cookies within my application. It
looks as simple as setting the "sameSite" attribute appropriately on
the CookieProcessor for the <Context>, which isn't there in a default
configuration. So you just have to add it:

<Context [...]>

   <CookieProcessor sameSiteCookies="lax" />

</Context>

Cool, now my JSESSIONID cookies are coming back with the SameSite=Lax
parameter.

But it also applies to all the other cookies my application creates.
It looks like there is no way to set/reset this parameter on an
individual-cookie basis. That would require a change to the Servlet
API, right?

I'm okay with SameSite being applied to ALL my cookies, but maybe not
everybody is. Are there any workarounds for this?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3Fg/kACgkQHPApP6U8
pFjfYg/+LSQ1WHvr/Ds7yskd3C7AFF5jBZaNPO4+I3M+5urpQqvy0Gk2use136rA
rEoct2iTauj2PY9oIplMUqFuaeiOiO5e0VE5//jp7FhnBe4yRxI0mUGzkvX/d/3j
e37Hm257iiteJ7q19b0uCTd867ZD2dyxupZYHaNQpeviiV+kyGwsv9KupHeIDpyk
E2AvZ/lIsRQ6tJ0jkNWiHBlpNgXVhIdabJ9WJHFbaqQ4oHPhcKZaMvthoDFnUKGS
JpyZjmP9TbNjIWE2I2zhwkKC4lTsiHkpeyccR/UC1V4SQs63rUxpGRCGjQ/Jk4p9
o6nCfI9zJuH3nsAV/sGasXuoPwzDpszsZT8Q8feun9jmfLz6aHynDR2b65Xq1dwc
OjPX/5QSk6TrlgXQ0jnqlfIhWp1A9e8OF2HUEKW1XgmNFu5CWlsUSYdHlsMBNEF2
gaciDa1IvYDnfmawJPgXxSUu6csBboiqRsr4RvCcjCSm4mERkcIm8UsYUHJG+c7Z
IhWc3pszJ5e/IV/w1iVZK34JL+qZcTImR9gThViNJnECW7Y7E5xbYBTOqxkjUUFR
6AUvtaW9vMZe1ArsZKKWdpb1f/DjK70KeQsyVcK8zhYbQb8uSI818vo6LV7andpU
bfifGiSSWuT1ZHdwMOaCrIf++ew1xc45yPb4qsZqTQ95jkuHhng=
=QbXx
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SameSite cookies

Rémy Maucherat
On Fri, Nov 8, 2019 at 4:04 PM Christopher Schultz <
[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I'm looking at using "samesite" cookies within my application. It
> looks as simple as setting the "sameSite" attribute appropriately on
> the CookieProcessor for the <Context>, which isn't there in a default
> configuration. So you just have to add it:
>
> <Context [...]>
>
>    <CookieProcessor sameSiteCookies="lax" />
>
> </Context>
>
> Cool, now my JSESSIONID cookies are coming back with the SameSite=Lax
> parameter.
>
> But it also applies to all the other cookies my application creates.
> It looks like there is no way to set/reset this parameter on an
> individual-cookie basis. That would require a change to the Servlet
> API, right?
>
> I'm okay with SameSite being applied to ALL my cookies, but maybe not
> everybody is. Are there any workarounds for this?
>

The Servlet API has no remove cookie API. If you use a Valve, you can
remove cookies using Response.getCookies and then remove from the list.
But this is not really the problem here since the same site thing is added
when the cookie header is generated. You can extend the CookieGenerator to
add more flexibility for your use case maybe ?

Rémy
Reply | Threaded
Open this post in threaded view
|

Re: SameSite cookies

M. Manna
In reply to this post by Christopher Schultz-2
Hey Chris,

Interesting question.

samesite attribute is also to protect cookies from possible cross-site
attacks. Even if you have super domain cookies, using strict/lax shouldn't
make any difference for you, or does it?

Thanks,

On Fri, 8 Nov 2019 at 15:04, Christopher Schultz <
[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I'm looking at using "samesite" cookies within my application. It
> looks as simple as setting the "sameSite" attribute appropriately on
> the CookieProcessor for the <Context>, which isn't there in a default
> configuration. So you just have to add it:
>
> <Context [...]>
>
>    <CookieProcessor sameSiteCookies="lax" />
>
> </Context>
>
> Cool, now my JSESSIONID cookies are coming back with the SameSite=Lax
> parameter.
>
> But it also applies to all the other cookies my application creates.
> It looks like there is no way to set/reset this parameter on an
> individual-cookie basis. That would require a change to the Servlet
> API, right?
>
> I'm okay with SameSite being applied to ALL my cookies, but maybe not
> everybody is. Are there any workarounds for this?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3Fg/kACgkQHPApP6U8
> pFjfYg/+LSQ1WHvr/Ds7yskd3C7AFF5jBZaNPO4+I3M+5urpQqvy0Gk2use136rA
> rEoct2iTauj2PY9oIplMUqFuaeiOiO5e0VE5//jp7FhnBe4yRxI0mUGzkvX/d/3j
> e37Hm257iiteJ7q19b0uCTd867ZD2dyxupZYHaNQpeviiV+kyGwsv9KupHeIDpyk
> E2AvZ/lIsRQ6tJ0jkNWiHBlpNgXVhIdabJ9WJHFbaqQ4oHPhcKZaMvthoDFnUKGS
> JpyZjmP9TbNjIWE2I2zhwkKC4lTsiHkpeyccR/UC1V4SQs63rUxpGRCGjQ/Jk4p9
> o6nCfI9zJuH3nsAV/sGasXuoPwzDpszsZT8Q8feun9jmfLz6aHynDR2b65Xq1dwc
> OjPX/5QSk6TrlgXQ0jnqlfIhWp1A9e8OF2HUEKW1XgmNFu5CWlsUSYdHlsMBNEF2
> gaciDa1IvYDnfmawJPgXxSUu6csBboiqRsr4RvCcjCSm4mERkcIm8UsYUHJG+c7Z
> IhWc3pszJ5e/IV/w1iVZK34JL+qZcTImR9gThViNJnECW7Y7E5xbYBTOqxkjUUFR
> 6AUvtaW9vMZe1ArsZKKWdpb1f/DjK70KeQsyVcK8zhYbQb8uSI818vo6LV7andpU
> bfifGiSSWuT1ZHdwMOaCrIf++ew1xc45yPb4qsZqTQ95jkuHhng=
> =QbXx
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: SameSite cookies

markt
In reply to this post by Christopher Schultz-2
> All,
>
> I'm looking at using "samesite" cookies within my application. It
> looks as simple as setting the "sameSite" attribute appropriately on
> the CookieProcessor for the <Context>, which isn't there in a default
> configuration. So you just have to add it:
>
> <Context [...]>
>
>    <CookieProcessor sameSiteCookies="lax" />
>
> </Context>
>
> Cool, now my JSESSIONID cookies are coming back with the SameSite=Lax
> parameter.
>
> But it also applies to all the other cookies my application creates.
> It looks like there is no way to set/reset this parameter on an
> individual-cookie basis. That would require a change to the Servlet
> API, right?

That would be one way to implement it - and then the app would have to
(un)set it.

Per Cookie configuration in CookieProcessor would be another way. I
haven't thought about how that might be implemented though.

> I'm okay with SameSite being applied to ALL my cookies, but maybe not
> everybody is. Are there any workarounds for this?

Manually write your own cookie header.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SameSite cookies

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 11/8/19 11:53, Mark Thomas wrote:

>> All,
>>
>> I'm looking at using "samesite" cookies within my application.
>> It looks as simple as setting the "sameSite" attribute
>> appropriately on the CookieProcessor for the <Context>, which
>> isn't there in a default configuration. So you just have to add
>> it:
>>
>> <Context [...]>
>>
>> <CookieProcessor sameSiteCookies="lax" />
>>
>> </Context>
>>
>> Cool, now my JSESSIONID cookies are coming back with the
>> SameSite=Lax parameter.
>>
>> But it also applies to all the other cookies my application
>> creates. It looks like there is no way to set/reset this
>> parameter on an individual-cookie basis. That would require a
>> change to the Servlet API, right?
>
> That would be one way to implement it - and then the app would have
> to (un)set it.
>
> Per Cookie configuration in CookieProcessor would be another way.
> I haven't thought about how that might be implemented though.

It seems that there are enough cookie parameters that the servlet spec
doesn't support[1], it might not be a bad idea to propose two new
methods to be added to the Cookie class:

  public void setAttribute(String name, String value);
  public String getAttribute(String name);

Then, if e.g. SameSite isn't directly supported by the Cookie APi,
applications can still:

  Cookie cookie = new Cookie("my_cookie");
  cookie.setAttribute("SameSite", "Strict"); // or null

>> I'm okay with SameSite being applied to ALL my cookies, but maybe
>> not everybody is. Are there any workarounds for this?
>
> Manually write your own cookie header.

Duh. Of course that will work :)

- -chris

[1] https://scotthelme.co.uk/tough-cookies/
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3FozMACgkQHPApP6U8
pFhuEBAAoGIEgFDoFfyKH85SySn/7GZEbw0EoM0lPL/09Hm9EiL4n00FBYRy/AiA
inSubQExqG+3iaNIXcBn/mQgAetCNOxXjNKeEvmcO9ljYLGAoExkqHomCSkMFEZL
AFNSei3+fYK4DHCciKKIC7n/IDbMCDxT8XM8or1rF0efvIyGa4leI9xZqew8yKjs
1/OnhsjvnLsctL/5NkBJkJF49W3Qk7Owl7tThyprqQjwnslGCXgm0gHL+/9JKERX
XSxlbsNTGgMAkx0tQU+jRPrO+nPC0FgotE8TZ7lVrpv65eMZ/hf7t7YaYlGWeaJl
EZPg8Uoigwze9vK3+C48z0ynHaBMPa/boLHfsxxgIdNGN0ouHrvFndVAzfvR9Rlk
jlmoWaAYzTqKUevosOE5sXHdlh0sHsv/DxB2DxT2v1FHiqZ2p7dyEWCzpa+BxovO
R7Ezj9l3ecVZkcmQn8UHT9nX3MZcCvjVf/EDYbiZS+TI6pq8PfMw8o5d+NO1JDIn
RtQ3mlJ7pUaqRK6+ItAGQssL9gSlUhcK/wyqXyaSCOx61eWxeKzo66YmOMi7bflV
Tz72DkSH/5Ml6AgMLiVBYA9qBtcApjMhHKYlZ+h/i2S+qKgATs8vTEfF3WZQWcV/
Eg05iDha/DpM5gcFzTewMhtNn/Hb+eR5UWHN6ogcY/YZ9qHwpx0=
=Ps3/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SameSite cookies

Christopher Schultz-2
In reply to this post by M. Manna
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

M,

On 11/8/19 10:40, M. Manna wrote:
> Interesting question.
>
> samesite attribute is also to protect cookies from possible
> cross-site attacks. Even if you have super domain cookies, using
> strict/lax shouldn't make any difference for you, or does it?

I was just thinking that it's obvious that Tomcat would handle the
JSESSIONID cookie with respect to the SameSite policy. But the
CookieProcessor affects *all* cookies for the whole application, not
just those created for session-tracking. Perhaps you want different
policies for different (types of) cookies.

I haven't really thought of any specific use-cases, honestly.

Mark's workaround of directly-generating the Set-Cookie response
header is obviously the answer if you want different policies for
different cookies. That just may require applications to be re-written
if the administrator wants to enable e.g. SameSite=Strict for the
JSESSIONID cookie, because there is no way to say "only apply this
policy to JSESSIONID cookies" or anything like that.

- -chris

> On Fri, 8 Nov 2019 at 15:04, Christopher Schultz <
> [hidden email]> wrote:
>
> All,
>
> I'm looking at using "samesite" cookies within my application. It
> looks as simple as setting the "sameSite" attribute appropriately
> on the CookieProcessor for the <Context>, which isn't there in a
> default configuration. So you just have to add it:
>
> <Context [...]>
>
> <CookieProcessor sameSiteCookies="lax" />
>
> </Context>
>
> Cool, now my JSESSIONID cookies are coming back with the
> SameSite=Lax parameter.
>
> But it also applies to all the other cookies my application
> creates. It looks like there is no way to set/reset this parameter
> on an individual-cookie basis. That would require a change to the
> Servlet API, right?
>
> I'm okay with SameSite being applied to ALL my cookies, but maybe
> not everybody is. Are there any workarounds for this?
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3FpCAACgkQHPApP6U8
pFjK7g/8COMS1JKF/X9eF9VP/ywSZV3cWJaCz5gMCzPcZC4TL+BVZIv21YdhpnjS
49rFUHz40fgq5RdRpnVLcVN0rqKYRtHHwrrmcndWqufIpiLYVC6kU8aUll/PO3Kc
pPfF2bseooz5HYoHQpYqWWYUfXGNS+wNSpjAmx9qd5zJKhc9YrT3yanTk1s8yF0i
jd0kguM0iN9G9MpZWctG0H7q+94xOxdluzbqvAemoN/7FhmhDHouMkRIZMfd4eRf
TfziHgQ1llr1kNUaMg6mS1f6eqWXHFVZFTbSJukpY2aKHQDbhdwN+l+zYI3Irb9H
Y0y3DRSUa1qZv5DNwFK8yGrM9A/Cj2dinnnL9BuOq4GmSw1JwDE7TBpz+Be7oE4d
CV/cj0raV2W9/Xtul7gVgJSKwkfsYsOwjcbbbmeLNcuNHYx6HE+OKhSIMjP+c3my
UyE9S6ZBa0TqI7Vd0IXXEGyRhwdtFQnNKAn7Ui69gn9zm0CbKNXk53zDImd42+At
8jLBicPyryny4Z07qHXm83O3TjjgY4JVJaSOC04sKdReIi3kcio5Co4sRTPfIXvZ
zbDCuMJq840ObS9WiIrZVhORF0Nd6M4XdfsA5+n+7/mRIwRGMI3v19ariKzT1GmD
XhGPxyGtDxydyIT3NGwC/SdzbMbdmCdgcNFTwkld5wohpQPMAIc=
=Lfm8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]