I think Set-Cookie string in the response header is constructed in the following code:

https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/Connectors.java#L125-L206


As Bill already mentioned, a new attribute should be added in Cookie interface and Impl:

https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/Cookie.java
https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/CookieImpl.java


In addition, it looks ServletCookieAdaptor also needs to be modifed because this class implements the above Cookie interface. However, Servlet API javax.servlet.http.Cookie does not have support for such SameSite attribute, so I think this one should not do anything:

https://github.com/undertow-io/undertow/blob/master/servlet/src/main/java/io/undertow/servlet/spec/ServletCookieAdaptor.java


I've just created a possible proposed patch to add SameSite Cookie support:

https://github.com/undertow-io/undertow/compare/master...msfm:master_SameSite_Cookie


With this, you can add SameSite attirubte like:

        Undertow server = Undertow.builder()
                .addHttpListener(8080, "localhost")
                .setHandler(new HttpHandler() {
                    @Override
                    public void handleRequest(final HttpServerExchange exchange) throws Exception {
                        Cookie cookie = new CookieImpl("testCookie", "testValue").setSameSite("");
                        // Cookie cookie = new CookieImpl("testCookie", "testValue").setSameSite("Strict");
                        // Cookie cookie = new CookieImpl("testCookie", "testValue").setSameSite("Lax");
                        exchange.setResponseCookie(cookie);
                        exchange.getResponseHeaders().put(Headers.CONTENT_TYPE, "text/plain");
                        exchange.getResponseSender().send("Hello World");
                    }
                }).build();
        server.start();


Masafumi


On Fri, Mar 3, 2017 at 4:26 AM, Bill O'Neil <bill@dartalley.com> wrote:
> This should be a good starting point
>
> Cookie Interface and Impl
> https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/Cookie.java
> https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/CookieImpl.java
>
> CookieUtil
> https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/util/Cookies.java
>
> Setting a response cookie
> https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/HttpServerExchange.java#L1120
>
> This was just a quick glance. I'm not sure exactly where the header is set
> but this should be a good start.
>
> Bill
>
> On Thu, Mar 2, 2017 at 2:15 PM, Sven Kubiak <sven@kubiak.me> wrote:
>>
>> I have looked at the current Cookie Implementation in Undetow, and it
>> seems like there is no support for the Same-Site Cookie Attribute.
>>
>>  
>>
>> See: https://scotthelme.co.uk/csrf-is-dead/
>>
>>  
>>
>> I’ll be happy to create a pull request, if someone could point me to the
>> right classes (and test cases) where the response headers for the cookies
>> are being set.
>>
>>  
>>
>> Best regards,
>>
>> Sven
>>
>>
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev@lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
>
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev