Loading...

XML

Word

Printable

Type: Feature Request
Resolution: Done
Priority: Major
Fix Version/s: 2.4.0.Final, 2.3.21.Final, 2.2.40.Final, EE 1.0.0.Final, EE 2.0.0.Final, 2.4.0.Beta1, EE 2.0.0.Beta1, EE 1.0.0.Alpha1
Affects Version/s: None
Component/s: Servlet
Labels:
None

This is a feature request for supporting custom cookie attributes as described in the Jakarta Servlet 6.0 specification under https://github.com/jakartaee/servlet/issues/175

As discussed in the issue, the SameSite attribute has not been added to the jakarta.servlet.http.Cookie interface so far, because the RFC is still a draft, although the attribute is widely supported by web browsers. However, custom attributes have been added and implementation in Undertow would be much appreciated.

I have attached a reproducer based on the numberguess WildFly quickstart: numberguess.zip

The quickstart has been enhanced with the following class, that demonstrates the requested feature:

package org.jboss.as.quickstarts.numberguess;

import jakarta.servlet.ServletContextEvent;
import jakarta.servlet.ServletContextListener;
import jakarta.servlet.SessionCookieConfig;
import jakarta.servlet.annotation.WebListener;

@WebListener
public class ContextListener implements ServletContextListener {
    @Override
    public void contextInitialized(ServletContextEvent servletContextEvent) {
        SessionCookieConfig sessionCookieConfig = servletContextEvent.getServletContext().getSessionCookieConfig();
        sessionCookieConfig.setSecure(true);
        sessionCookieConfig.setHttpOnly(true);
        sessionCookieConfig.setAttribute("SameSite", "Strict"); // or sessionCookieConfig.setSameSite(true);
    }
}

You can run the quickstart by executing:

$ mvn clean package wildfly:start

Open a browser and the browser's network analyzer and go to http://localhost:8080/numberguess/home.jsf

See, that Secure and HttpOnly have been added to the Set-Cookie header, but SameSite is missing.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

image-2025-07-17-13-41-21-700.png
92 kB
2025/07/17 11:41 AM
numberguess.zip
28 kB
2025/07/16 1:01 PM

blocks

JBEAP-31852 [GSS](8.1.z) WFLY-19551 - Undertow subsystem is missing Servlet 6.0 support for cookie attributes

Pull Request Sent

WFLY-19551 Undertow subsystem is missing Servlet 6.0 support for cookie attributes

Pull Request Sent

causes

JBEAP-32060 (8.1.z) UNDERTOW-2580 / UNDERTOW-2421 cause compilation failures

JBEAP-32061 (8.0.z) UNDERTOW-2580 / UNDERTOW-2421 cause compilation failures

is incorporated by

WFCORE-7462 CVE-2024-3884 CVE-2025-12543 Upgrade Undertow to 2.3.21.Final

Resolved

WFCORE-7475 Upgrade Undertow to 2.4.x

Coding In Progress

relates to

JBMETA-457 Missing support for cookie attributes (since Servlet 6.0)

Resolved

(1 is incorporated by, 1 relates to)

Assignee:: Bartosz Baranowski

Reporter:: Manuel K

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/07/16 1:12 PM

Updated:: 2026/02/18 5:37 PM

Resolved:: 2026/01/12 7:05 AM

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates