Define Same-site cookie in web.xml cookie-config for Tomcat

Question

I would want to add the Same-site cookie attribute to the cookie I'm using in a Tomcat web app, to add the HttpOnly attribute it was enough adding the following definition in the web.xml file :

   <session-config>
    <session-timeout>240</session-timeout>
    <cookie-config>
        <http-only>true</http-only>
    </cookie-config>
  </session-config>

What about the Same-site attribute? Is it possible to set it in the same way as the http-only, like : <same-site>true</same-site> ?

A definition of the Same-site cookie :

Same-site cookies (née "First-Party-Only" (née "First-Party")) allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.

Answer 1

The options for the web.xml configuration file are defined in the Java Servlet Specification. This file does not support options for including the SameSite in the cookies.

---

A Simple Configuration for Tomcat

If you wanna add the SameSite option to the cookies in your application, you can configure the Tomcat Cookie Processor (the CookieProcessor) in the META-INF/context.xml.

<?xml version="1.0" encoding="UTF-8"?>
<Context>

    <!-- Add SameSite to the cookies --> 
    <CookieProcessor 
        sameSiteCookies="none" />

</Context>

NOTE: This configuration may fail in older versions of Tomcat. Apparently, these options work well if you use, at least, Tomcat 8.5.48 or 9.0.28. For older versions, there are some workarounds you may check.

---

Other options

You may try some web filters that implement this behaviour. For instance, you may check the IdP SameSite Session Cookie Filter.