17

Tomcat's context.xml defines CookieProcessor (default LegacyCookieProcessor).

Apache Tomcat 9 Configuration Reference

I'm trying to add attribute(s) shown on cookie processor, however that doesn't seems to be working

<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="strict" />

I don't see Tomcat's response header cookie with sameSite attribute being set.

dur
  • 15,689
  • 25
  • 79
  • 125
Puneri
  • 283
  • 1
  • 2
  • 10

3 Answers3

38

In your web application, inside the META-INF folder create a context.xml file with this inside.

<Context>
   <CookieProcessor sameSiteCookies="strict" />
</Context>

If you already have a context.xml file, you just need to add the CookieProcessor element.

This behavior is possible since Tomcat 9.0.21 and 8.5.42, or 9.0.28 and 8.5.48 if you need to set the attribute to "none".

Merged into Tomcat master on 20th of May 2019 with pull request 162

Ivan Tsenov
  • 388
  • 2
  • 9
  • 12
    Update: In Tomcat < 9.0.28 (or < 8.5.48 for the 8.5x branch), the same-site attribute is not set if the value is NONE. This causes some issues with the session cookie in [Chrome > 80](https://www.chromium.org/updates/same-site). It has been fixed in Oct 2019. [See the bug report](https://bz.apache.org/bugzilla/show_bug.cgi?id=63865) ([PR #219](https://github.com/apache/tomcat/pull/219)) – Junior Dussouillez Mar 10 '20 at 14:31
  • 1
    @JuniorDussouillez thanks a lot for the update. The versions preceding 8.5.48 are indeed unsetting the cookie sameSite attribute – arjunkhera Mar 24 '20 at 04:25
  • @JuniorDussouillez thanks man, i lost a lot of time thinking my spring configuration was wrong, just to set SameSite=None – Carlos Alberto Schneider Sep 26 '20 at 21:16
  • If you create a context.xml within the application, will the context.xml override the Tomcat settings or union all the settings together? I do not want to lose any setting that are already setup within the Tomcat context.xml. – dev4life May 25 '22 at 15:32
1

Found answer to this :

  1. edit tomcat/conf/context.xml
  2. update CookieProcessor element on following lines say for setting sameSiteCookies in HTTP response headers's set-cookie.
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="strict" />
dur
  • 15,689
  • 25
  • 79
  • 125
Puneri
  • 283
  • 1
  • 2
  • 10
  • 5
    You should not be editing `tomcat/conf/context.xml`, generally. There should be a way to get this to work with a single application. – Christopher Schultz Aug 16 '19 at 03:59
  • 2
    Tried this to see if if would work also with Tomcat <8.5.42. It did not. So in any case I also need to update to a newer Tomcat to have ”SameSite=None;Secure” added to my Set-Cookie header. – tnurmi Mar 26 '20 at 15:58
  • to elaborate on Christopher's comment, tomcat/conf/context.xml would define context settings for all webapps in Tomcat. For individual applications a context would need to be defined under the apps META-INF/ folder or if an unpacked war file is used then an xml file with the same name as war file is placed under tomcat/conf/{engineName}/{hostName}/{warfilename}.xml. Ref: https://octopus.com/blog/defining-tomcat-context-paths – GioPoe May 16 '23 at 18:03
0

To add on to the current answers, make sure the Tomcat version is exactly one of the releases that recognize samesite e.g. Tomcat 9.0.21. Adding the context to tomcat/conf/context.xml is generally a bad idea because it is not application specific. To define an application specific context you can create the folder path inside Tomcat/conf/{EngineName}/{HostName}/{applicationFileName}.xml. This is equivalent to adding the context to the /META-INF folder. There are several ways to define a context. Reference: https://octopus.com/blog/defining-tomcat-context-paths

GioPoe
  • 109
  • 3
  • 12