How to set SameSite Cookie in Tomcat's Cookie Processor?

Question

Tomcat's context.xml defines CookieProcessor (default LegacyCookieProcessor)

I'm trying to add attribute(s) shown on cookie processor, however that doesn't seems to be working

I don't see Tomcat's response header cookie with sameSite attribute being set

It could be configured in code. For Spring Boot see https://stackoverflow.com/a/60860531/548473 — Grigory Kislin, Mar 26 '20 at 03:20

Ivan Tsenov · Answer 1 · 2021-01-05T10:01:28.710

25

In your web application, inside the META-INF folder create a context.xml file with this inside.

<Context>
   <CookieProcessor sameSiteCookies="strict" />
</Context>

If you already have a context.xml file, you just need to add the CookieProcessor element.

This behavior is possible since Tomcat 9.0.21 and 8.5.42, or 9.0.28 and 8.5.48 if you need to set the attribute to "none".

Merged into Tomcat master on 20th of May 2019 with pull request 162

edited Jan 05 '21 at 10:01

answered Aug 23 '19 at 08:33

Ivan Tsenov

Thanks for pointing out this is available from 8.5.42, I am using 8.5.23 so will have to update Apache/Tomcat – user2677034 Dec 16 '19 at 17:48
10

Update: In Tomcat < 9.0.28 (or < 8.5.48 for the 8.5x branch), the same-site attribute is not set if the value is NONE. This causes some issues with the session cookie in [Chrome > 80](https://www.chromium.org/updates/same-site). It has been fixed in Oct 2019. [See the bug report](https://bz.apache.org/bugzilla/show_bug.cgi?id=63865) ([PR #219](https://github.com/apache/tomcat/pull/219)) – Junior Dussouillez Mar 10 '20 at 14:31
1

@JuniorDussouillez thanks a lot for the update. The versions preceding 8.5.48 are indeed unsetting the cookie sameSite attribute – arjunkhera Mar 24 '20 at 04:25
@JuniorDussouillez thanks man, i lost a lot of time thinking my spring configuration was wrong, just to set SameSite=None – Carlos Alberto Schneider Sep 26 '20 at 21:16

score 0 · Answer 2 · answered Aug 16 '19 at 00:21

0

Found answer to this :

edit tomcat/conf/context.xml
update CookieProcessor element on following lines say for setting SameSiteCookies in HTTP response headers's set-cookie.

<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="strict" />

answered Aug 16 '19 at 00:21

Puneri

3

You should not be editing `tomcat/conf/context.xml`, generally. There should be a way to get this to work with a single application. – Christopher Schultz Aug 16 '19 at 03:59
2

Tried this to see if if would work also with Tomcat <8.5.42. It did not. So in any case I also need to update to a newer Tomcat to have ”SameSite=None;Secure” added to my Set-Cookie header. – tnurmi Mar 26 '20 at 15:58
Thanks, this worked perfect for me! – mcroteau Dec 10 '20 at 21:46

2 Answers2