<div dir="ltr">I think Set-Cookie string in the response header is constructed in the following code:<br><br><a href="https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/Connectors.java#L125-L206">https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/Connectors.java#L125-L206</a><br><br><br>As Bill already mentioned, a new attribute should be added in Cookie interface and Impl:<br><br><a href="https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/Cookie.java">https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/Cookie.java</a><br><a href="https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/CookieImpl.java">https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/CookieImpl.java</a><br><br><br>In addition, it looks ServletCookieAdaptor also needs to be modifed because this class implements the above Cookie interface. However, Servlet API javax.servlet.http.Cookie does not have support for such SameSite attribute, so I think this one should not do anything:<br><br><a href="https://github.com/undertow-io/undertow/blob/master/servlet/src/main/java/io/undertow/servlet/spec/ServletCookieAdaptor.java">https://github.com/undertow-io/undertow/blob/master/servlet/src/main/java/io/undertow/servlet/spec/ServletCookieAdaptor.java</a><br><br><br>I&#39;ve just created a possible proposed patch to add SameSite Cookie support:<br><br><a href="https://github.com/undertow-io/undertow/compare/master...msfm:master_SameSite_Cookie">https://github.com/undertow-io/undertow/compare/master...msfm:master_SameSite_Cookie</a><br><br><br>With this, you can add SameSite attirubte like:<br><br>        Undertow server = Undertow.builder()<br>                .addHttpListener(8080, &quot;localhost&quot;)<br>                .setHandler(new HttpHandler() {<br>                    @Override<br>                    public void handleRequest(final HttpServerExchange exchange) throws Exception {<br>                        Cookie cookie = new CookieImpl(&quot;testCookie&quot;, &quot;testValue&quot;).setSameSite(&quot;&quot;);<br>                        // Cookie cookie = new CookieImpl(&quot;testCookie&quot;, &quot;testValue&quot;).setSameSite(&quot;Strict&quot;);<br>                        // Cookie cookie = new CookieImpl(&quot;testCookie&quot;, &quot;testValue&quot;).setSameSite(&quot;Lax&quot;);<br>                        exchange.setResponseCookie(cookie);<br>                        exchange.getResponseHeaders().put(Headers.CONTENT_TYPE, &quot;text/plain&quot;);<br>                        exchange.getResponseSender().send(&quot;Hello World&quot;);<br>                    }<br>                }).build();<br>        server.start();<br><br><br>Masafumi<br><br><br>On Fri, Mar 3, 2017 at 4:26 AM, Bill O&#39;Neil &lt;<a href="mailto:bill@dartalley.com">bill@dartalley.com</a>&gt; wrote:<br>&gt; This should be a good starting point<br>&gt;<br>&gt; Cookie Interface and Impl<br>&gt; <a href="https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/Cookie.java">https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/Cookie.java</a><br>&gt; <a href="https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/CookieImpl.java">https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/CookieImpl.java</a><br>&gt;<br>&gt; CookieUtil<br>&gt; <a href="https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/util/Cookies.java">https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/util/Cookies.java</a><br>&gt;<br>&gt; Setting a response cookie<br>&gt; <a href="https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/HttpServerExchange.java#L1120">https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/HttpServerExchange.java#L1120</a><br>&gt;<br>&gt; This was just a quick glance. I&#39;m not sure exactly where the header is set<br>&gt; but this should be a good start.<br>&gt;<br>&gt; Bill<br>&gt;<br>&gt; On Thu, Mar 2, 2017 at 2:15 PM, Sven Kubiak &lt;<a href="mailto:sven@kubiak.me">sven@kubiak.me</a>&gt; wrote:<br>&gt;&gt;<br>&gt;&gt; I have looked at the current Cookie Implementation in Undetow, and it<br>&gt;&gt; seems like there is no support for the Same-Site Cookie Attribute.<br>&gt;&gt;<br>&gt;&gt;  <br>&gt;&gt;<br>&gt;&gt; See: <a href="https://scotthelme.co.uk/csrf-is-dead/">https://scotthelme.co.uk/csrf-is-dead/</a><br>&gt;&gt;<br>&gt;&gt;  <br>&gt;&gt;<br>&gt;&gt; I’ll be happy to create a pull request, if someone could point me to the<br>&gt;&gt; right classes (and test cases) where the response headers for the cookies<br>&gt;&gt; are being set.<br>&gt;&gt;<br>&gt;&gt;  <br>&gt;&gt;<br>&gt;&gt; Best regards,<br>&gt;&gt;<br>&gt;&gt; Sven<br>&gt;&gt;<br>&gt;&gt;<br>&gt;&gt; _______________________________________________<br>&gt;&gt; undertow-dev mailing list<br>&gt;&gt; <a href="mailto:undertow-dev@lists.jboss.org">undertow-dev@lists.jboss.org</a><br>&gt;&gt; <a href="https://lists.jboss.org/mailman/listinfo/undertow-dev">https://lists.jboss.org/mailman/listinfo/undertow-dev</a><br>&gt;<br>&gt;<br>&gt;<br>&gt; _______________________________________________<br>&gt; undertow-dev mailing list<br>&gt; <a href="mailto:undertow-dev@lists.jboss.org">undertow-dev@lists.jboss.org</a><br>&gt; <a href="https://lists.jboss.org/mailman/listinfo/undertow-dev">https://lists.jboss.org/mailman/listinfo/undertow-dev</a><br></div>