...
Warning | ||
---|---|---|
| ||
Webkit based browsers on Mac (safari) and iOS (safair, chome, firefox etc) are currently affected by a bug that treats SameSite=None or SameSite=nonesense cookies as SameSite=Strict (https://bugs.webkit.org/show_bug.cgi?id=198181). We believe the fix for this will only take affect from MacOS 10.15 and iOS 13. Consequently, any attempt to maintain the current functional behaviour of cookies by setting SameSite=None on unfixed versions of Webkit will break SSO. WE ARE CURRENTLY TESTING THIS, SO THIS MESSAGE MAY CHANGE. |
Implementation
Following on from IdP SameSite Testing, here we describe a new Servlet Filter (SameSiteSessionCookieFilter
) for appending the same-site cookie flag to specified cookies. The SameSiteSessionCookieFilter
wraps the HttpResponse with a SameSiteResponseProxy
proxy. The proxy overrides the getWriter
, sendError
, getOutputStream
, and sendRedirect Response
methods such that any attempt from a Servlet to commit a response back to the client invokes the 'append same site attribute' logic over the current set of Set-Cookie
headers.
...