Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] SameSite to STRICT

By the way, there is something wrong with the response headers you posted: there are two Set-Cookie headers for different paths, and the one for root has an empty session id - you must have some code that is explicitly setting this.

Jan

On Thu, 15 Jul 2021 at 11:50, Jan Bartel <janb@xxxxxxxxxxx> wrote:
I can't reproduce this using the standard jetty distro and the standard test webapp that just creates a session via HttpServletRequest.getSession(true),  and the web.xml snippet you provided. I tried both 9.4.38 and the latest release and both result in a response with the correct Set-Cookie: 

Content-Length: 0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: http://localhost:8080/test/session/;jsessionid=node01ggldqpcbwnmpvb21biv2gceb0.node0?R=0
Server: Jetty(9.4.38.v20210224)
Set-Cookie: visited=yes
Set-Cookie: JSESSIONID=node01ggldqpcbwnmpvb21biv2gceb0.node0; Path=/test; Secure; HttpOnly; SameSite=Strict

Some questions for you:

Are you sure you don't have any code that would interfere with the setCookie? 
Are you setting this web snippet in a web.xml, or a web-fragment.xml or a web-override.xml?
Is this response being generated directly from jetty or is this via some other middleware that fonts it (apache, haproxy etc etc?)?
When is this session created? Is it created by your code, or is it created by jetty implicitly via a form login? 
Did a session already exist when the form login occurred?

Jan

On Thu, 15 Jul 2021 at 04:02, Sai Sankar Challa via jetty-users <jetty-users@xxxxxxxxxxx> wrote:

Sorry for snipped images.

 

Here is the configuration added in web.xml

 

<session-config>

    <cookie-config>

     <http-only>true</http-only>

     <secure>true</secure>

     <comment>__SAME_SITE_STRICT__</comment>

    </cookie-config>

  </session-config>

 

 

Response Headers

HTTP/1.1 200 OK

Content-Type: text/html;charset=utf-8

Set-Cookie: JSESSIONID=node0u99zpkbrxegr59fnxzac8m217.node0; Path=/dashboard; Secure; HttpOnly

Expires: Thu, 01 Jan 1970 00:00:00 GMT //Here expecting SameSite to be returned

Set-Cookie: JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0

X-Frame-Options: DENY

Referrer-Policy: same-origin

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Content-Security-Policy: default-src 'self' https:; script-src 'self'  'sha256-jLiclQuK1N1QZInVr4VJp6uKckK7+/GGsba4nme+PRA=' 'sha256-WcSfBbTthoIIuIdlLvU5spxO2l32y5Nw3Oh4jk4VnBY='; object-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; media-src 'self'; frame-src 'self'; font-src 'self'; connect-src 'self'

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Length: 3737

 

Thanks

Sai

 

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Sent: Wednesday, July 14, 2021 10:46 PM
To: Sai Sankar Challa <saisankar.c@xxxxxxxxxxxxxxxx>
Cc: JETTY user mailing list <jetty-users@xxxxxxxxxxx>
Subject: Re: [jetty-users] SameSite to STRICT

 

You are using browser developer tooling.

 

What does the raw HTTP Response (that sets the JSESSIONID) look like?

As in, can you copy/paste the response, in raw form (not in a table, not post-parsed, not as an image) to this mailing list?


Joakim Erdfelt / joakim@xxxxxxxxxxx

 

 

On Wed, Jul 14, 2021 at 11:34 AM Sai Sankar Challa <saisankar.c@xxxxxxxxxxxxxxxx> wrote:

Thanks for the response.

 

I am assuming this done by Jetty Server.

 

The URL we are trying is the very first URL i.e., login page, post login we do have filter classes where we are doing some modifications.

 

Thanks

Sai

 

 

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Sent: Wednesday, July 14, 2021 9:49 PM
To: JETTY user mailing list <jetty-users@xxxxxxxxxxx>
Cc: Sai Sankar Challa <saisankar.c@xxxxxxxxxxxxxxxx>
Subject: Re: [jetty-users] SameSite to STRICT

 

What does the actual HTTP Response that created that JSESSIONID look like?


Joakim Erdfelt / joakim@xxxxxxxxxxx

 

 

On Wed, Jul 14, 2021 at 11:07 AM Sai Sankar Challa via jetty-users <jetty-users@xxxxxxxxxxx> wrote:

Hi Team

 

We upgraded our Jetty version to 9.4.38.v20210224 and we want to Set 'SameSite' attribute to 'Strict'  in JSESSIONID for our portal security .

 

We made the code changes as per below in our web.xml and still not seeing any difference.

 

  <session-config>

    <cookie-config>

     <http-only>false</http-only>

     <secure>false</secure>

     <comment>__SAME_SITE_STRICT__</comment>

    </cookie-config>

  </session-config>

 

Browser Cookie

 

 

Can you please through some idea to get this done .

 

Thanks

Sai

 

 

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users


--
Jan Bartel <janb@xxxxxxxxxxx>
www.webtide.com
Expert assistance from the creators of Jetty and CometD



--
Jan Bartel <janb@xxxxxxxxxxx>
www.webtide.com
Expert assistance from the creators of Jetty and CometD


Back to the top