Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1600

Enhance SameSite Cookie support



    • Feature Request
    • Resolution: Done
    • Major
    • 2.1.0.Final
    • 2.0.26.Final
    • Core
    • None


      Initial SameSite Cookie support was implemented by UNDERTOW-1024 2 year ago. It was based on https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00.

      Though the specification is still draft, as per https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1, some part has been updated. For example:

      • A new "None" attribute is added in addition to "Strict" and "Lax".
      • A bare SameSite attribute is not supported. SameSite attribute needs to be set with "Strict", "Lax" or "None".

      I would like to propose the following update for SameSite Cookie support:

      • Define 3 SameSiteMode ("Strict", "Lax" and "None") as enum in io.undertow.server.handlers.Cookie
      • Implement getSameSiteMode() and setSameSiteMode() in io.undertow.servlet.spec.ServletCookieAdaptor. Servlet API has not yet supported SameSite Cookie, but this can enable SameSite flag to the Servlet Cookie through the Undertow API
      • Add SameSiteCookieHandler which can set the SameSite flag on all cookies or the cookie which matches specified name.

      In addition, as per the articles https://web.dev/samesite-cookie-recipes/ and https://www.chromium.org/updates/same-site/incompatible-clients which was written just after raising this JIRA, there are some user agents are known to be not compatible with SameSite=None attribute. So, I would like to add a utility class that can detect such incompatible clients and can be used not to send SameSite=None cookie for such clients.


        Issue Links


            Public project attachment banner

              context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
              current Project key: UNDERTOW


                rhn-support-mmiura Masafumi Miura
                rhn-support-mmiura Masafumi Miura
                0 Vote for this issue
                5 Start watching this issue