I'm using wcs6 version. With Java 1.4 version. I am trying to set samesite=None to my existing Cookies( Cookie class). Can anyone help me on this. How to add this attribute to my existing cookies.
Asked
Active
Viewed 1,272 times
0
-
2Are you sure you are using Java >>1.4< ... Java 1.4 is 16 years old – JavaMan Jan 30 '20 at 19:18
-
It would be helpful if you are able to link to the documentation for this. – rowan_m Jan 31 '20 at 09:58
-
If you are not planning to update your applications, you may check the solutions that configure an Apache or Nginx server to modify the cookies "on the run". If you plan to update your solution, you may check other [solutions](https://stackoverflow.com/questions/49697449/how-to-enable-samesite-for-jsessionid-cookie/51576089#51576089) that add filters and HTTPHandlers in your applications to do it. – Jaime Jul 15 '20 at 11:42
-
Yes we using java 1.4 for wcs6 version. Our future release we migrating from wcs6 to rest api services with java 1.8 version – venkatesh A Nov 15 '20 at 06:14
-
Last year July-2021 we successfully migrated all wcs6 products to rest API services with Cassandra, elastic search, kafka, java 1.8, wildfly-12 server. – venkatesh A Sep 29 '22 at 10:00
1 Answers
0
Using SameSite for marking cross-site cookies is relatively new. Web applications calling APIs in other sites not using this mark cause a warning in Chrome 80 (Feb 2020) and more recent browsers. As announced in 2018, websites not using this mark will fail at some point in the future.
Older application servers do not offer options to include this mark in the cookies. Only newer versions of Tomcat (8.5.42 and 9.0.21 onward) and Jetty (9.4.21 onward) offer mechanisms for setting the same-site cookie attribute on cookies.
An alternative for older application services
IBM, and many other companies, recommend to configure an Apache or Nginx server to process the cookies. For instance, typical installations of Websphere include an IBM HTTP Server (a modified Apache server) that may replace the cookies issued by the applications to include the SameSite=None; Secure attribute without any change in your applications.
Using the IBM HTTP Server
The IBM HTTP Server (or any Apache server) can be configured to use the mod_usertrack module to process the cookies. You must include additional lines in the httpd.conf configuration file. The following is an example that modify the JSESSIONID cookie.
SetEnvIf Cookie "(^|\s+|;\s+)JSESSIONID=([^;,]+)" had-usertrack=$2
Header always add Set-Cookie "JSESSIONID=%{had-usertrack}e; SameSite=None; Secure" env=had-usertrack
The first line detects the cookie with the name JSESSIONID and capture the information in the had-usertrack variable. The second line sets the value for the same cookie, but adding ; SameSite=None; Secure at the end.
Using the Apache server
There are many pages showing how to use Apache to solve the problem (1, 2, 3). They propose a simpler solution, editing the cookie without using the user tracking information.
For Apache 2, you can add the mark to the JSESSIONID cookie using the following
Header edit Set-Cookie ^(JSESSIONID.*)$ $1;HttpOnly;Secure;SameSite=None
And you can include the SameSite option to all the cookies using the following
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None
NOTE: If you use SameSite=None in your cookies, you must add Secure too. That means that these cookies only work on secure connections (HTTPS). Therefore, (1) you must configure your IBM HTTP Server or Apache Server to use secure connections and (2) your users must browse the applications using the HTTPS protocol instead the HTTP.
Jaime
- 5,435
- 2
- 18
- 21