7

I have a problem with setting SameSite attribute in Cookie. I wanted to set this attribute, but neither javax.servlet.http.Cookie nor java.net.HttpCookie provide method to deal with it. Therefore, I have an idea to create a response javax.servlet.Filter that catch "Set-Cookie" header and add "SameSite=Strict" attribute. 

response.setHeader("Set-Cookie", response.getHeader("Set-Cookie") + "; SameSite=strict");

It works ok but problem appeares when I have more than one "Set-Cookie" header in one response. javax.servlet.http.HttpServletResponse does not provide method to remove or overwrite more than one heder with the same name (iterating over them and using setHeader() doesn't work because it always sets the last one). Do you have any idea how to set SameSite attribute to cookie or how to overwrite headers in response filter?

Thanks in advance.

mwyrzyk
  • 191
  • 1
  • 1
  • 10
  • Please find my detailed answer to this case [HERE](https://stackoverflow.com/a/59892503/4827241). – Alexander Martyushov Jan 24 '20 at 08:08
  • check this one which used GenericFilterBean / temporary redirect request to solve the same kind of issue https://stackoverflow.com/questions/63939078/how-to-set-samesite-and-secure-attribute-to-jsessionid-cookie/63939775#63939775 – ThilankaD Oct 28 '20 at 05:16

4 Answers4

12

It turns out that using setHeader() method remove all previous headers with the same name so I just create simple for loop in doFilter() method. It adds SameSite=Strict attribute to every cookie that is set.

boolean firstHeader = true;
for (String header : cookiesHeaders) {
    if (firstHeader) {
        httpResponse.setHeader("Set-Cookie",
                String.format("%s; %s", header, "SameSite=Strict"));
        firstHeader = false;
        continue;
    }
    httpResponse.addHeader("Set-Cookie",
            String.format("%s; %s", header, "SameSite=Strict"));
}
Community
  • 1
  • 1
mwyrzyk
  • 191
  • 1
  • 1
  • 10
  • it did not worked for me, i am using jetty 6.1 and servlet API 2.5 that might be the reason ? SameSite=Strict attribute is visible on console but not on browser. – jatin Goyal Dec 28 '20 at 11:39
1

In etc/apache2/httpd.conf

Header edit Set-Cookie ^(.*)$ $1;SameSite=Strict

works for me.....

user2677034
  • 624
  • 10
  • 20
1

New Tomcat supports SameSite cookies via TomcatContextCustomizer.

Grigory Kislin
  • 16,647
  • 10
  • 125
  • 197
0

If javax still has no implementation for Samesite, you can try extending the Cookie class and using a cookie library that already has a Samesite implementation. In my case it was Springframework ResponseCookie class.

Here is the extended class

public class SamesiteHttpServletResponse extends HttpServletResponseWrapper
{

  public SamesiteHttpServletResponse(HttpServletResponse response)
  {
    super(response);
  }

  @Override
  public void addCookie(Cookie cookie)
  {

    ResponseCookie responseCookie = ResponseCookie
      .from(cookie.getName(), cookie.getValue())
      .secure(true)
      .httpOnly(true)
      .path(cookie.getPath())
      .maxAge(cookie.getMaxAge())
      .sameSite("Lax")
      .build();

      this.addHeader(HttpHeaders.SET_COOKIE, responseCookie.toString());
  }

  }

Then use this class by exposing HttpServletResponse and adding cookies to that response. For example:

public void exampleMethod(HttpServletResponse res){

HttpServletResponse response = new SamesiteHttpServletResponse(res); 

// create or get a hold of the javax Cookie you want to add the samesite to

response.addCookie(mycookie); 

}
GioPoe
  • 109
  • 3
  • 12