• Type: Feature Request
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 2.0.26.Final
    • Fix Version/s: 2.1.0.Final
    • Component/s: Core
    • Labels:


      Initial SameSite Cookie support was implemented by UNDERTOW-1024 2 year ago. It was based on

      Though the specification is still draft, as per, some part has been updated. For example:

      • A new "None" attribute is added in addition to "Strict" and "Lax".
      • A bare SameSite attribute is not supported. SameSite attribute needs to be set with "Strict", "Lax" or "None".

      I would like to propose the following update for SameSite Cookie support:

      • Define 3 SameSiteMode ("Strict", "Lax" and "None") as enum in io.undertow.server.handlers.Cookie
      • Implement getSameSiteMode() and setSameSiteMode() in io.undertow.servlet.spec.ServletCookieAdaptor. Servlet API has not yet supported SameSite Cookie, but this can enable SameSite flag to the Servlet Cookie through the Undertow API
      • Add SameSiteCookieHandler which can set the SameSite flag on all cookies or the cookie which matches specified name.

      In addition, as per the articles and which was written just after raising this JIRA, there are some user agents are known to be not compatible with SameSite=None attribute. So, I would like to add a utility class that can detect such incompatible clients and can be used not to send SameSite=None cookie for such clients.

        Gliffy Diagrams


            Issue Links



                • Assignee:
                  mmiura Masafumi Miura
                  mmiura Masafumi Miura
                • Votes:
                  0 Vote for this issue
                  5 Start watching this issue


                  • Created: