Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1600

Enhance SameSite Cookie support

    XMLWordPrintable

    Details

    • Type: Feature Request
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 2.0.26.Final
    • Fix Version/s: 2.1.0.Final
    • Component/s: Core
    • Labels:
      None

      Description

      Initial SameSite Cookie support was implemented by UNDERTOW-1024 2 year ago. It was based on https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00.

      Though the specification is still draft, as per https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1, some part has been updated. For example:

      • A new "None" attribute is added in addition to "Strict" and "Lax".
      • A bare SameSite attribute is not supported. SameSite attribute needs to be set with "Strict", "Lax" or "None".

      I would like to propose the following update for SameSite Cookie support:

      • Define 3 SameSiteMode ("Strict", "Lax" and "None") as enum in io.undertow.server.handlers.Cookie
      • Implement getSameSiteMode() and setSameSiteMode() in io.undertow.servlet.spec.ServletCookieAdaptor. Servlet API has not yet supported SameSite Cookie, but this can enable SameSite flag to the Servlet Cookie through the Undertow API
      • Add SameSiteCookieHandler which can set the SameSite flag on all cookies or the cookie which matches specified name.

      In addition, as per the articles https://web.dev/samesite-cookie-recipes/ and https://www.chromium.org/updates/same-site/incompatible-clients which was written just after raising this JIRA, there are some user agents are known to be not compatible with SameSite=None attribute. So, I would like to add a utility class that can detect such incompatible clients and can be used not to send SameSite=None cookie for such clients.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mmiura Masafumi Miura
              Reporter:
              mmiura Masafumi Miura
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: