[undertow-dev] Same-Site Cookie Attribute
Masafumi Miura
masafumi0920 at gmail.com
Thu Mar 2 18:30:10 EST 2017
I think Set-Cookie string in the response header is constructed in the
following code:
https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/Connectors.java#L125-L206
As Bill already mentioned, a new attribute should be added in Cookie
interface and Impl:
https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/Cookie.java
https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/CookieImpl.java
In addition, it looks ServletCookieAdaptor also needs to be modifed because
this class implements the above Cookie interface. However, Servlet API
javax.servlet.http.Cookie does not have support for such SameSite
attribute, so I think this one should not do anything:
https://github.com/undertow-io/undertow/blob/master/servlet/src/main/java/io/undertow/servlet/spec/ServletCookieAdaptor.java
I've just created a possible proposed patch to add SameSite Cookie support:
https://github.com/undertow-io/undertow/compare/master...msfm:master_SameSite_Cookie
With this, you can add SameSite attirubte like:
Undertow server = Undertow.builder()
.addHttpListener(8080, "localhost")
.setHandler(new HttpHandler() {
@Override
public void handleRequest(final HttpServerExchange
exchange) throws Exception {
Cookie cookie = new CookieImpl("testCookie",
"testValue").setSameSite("");
// Cookie cookie = new CookieImpl("testCookie",
"testValue").setSameSite("Strict");
// Cookie cookie = new CookieImpl("testCookie",
"testValue").setSameSite("Lax");
exchange.setResponseCookie(cookie);
exchange.getResponseHeaders().put(Headers.CONTENT_TYPE, "text/plain");
exchange.getResponseSender().send("Hello World");
}
}).build();
server.start();
Masafumi
On Fri, Mar 3, 2017 at 4:26 AM, Bill O'Neil <bill at dartalley.com> wrote:
> This should be a good starting point
>
> Cookie Interface and Impl
>
https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/Cookie.java
>
https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/handlers/CookieImpl.java
>
> CookieUtil
>
https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/util/Cookies.java
>
> Setting a response cookie
>
https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/HttpServerExchange.java#L1120
>
> This was just a quick glance. I'm not sure exactly where the header is set
> but this should be a good start.
>
> Bill
>
> On Thu, Mar 2, 2017 at 2:15 PM, Sven Kubiak <sven at kubiak.me> wrote:
>>
>> I have looked at the current Cookie Implementation in Undetow, and it
>> seems like there is no support for the Same-Site Cookie Attribute.
>>
>>
>>
>> See: https://scotthelme.co.uk/csrf-is-dead/
>>
>>
>>
>> I’ll be happy to create a pull request, if someone could point me to the
>> right classes (and test cases) where the response headers for the cookies
>> are being set.
>>
>>
>>
>> Best regards,
>>
>> Sven
>>
>>
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
>
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20170303/923d9176/attachment-0001.html
More information about the undertow-dev
mailing list