...
Warning | ||
---|---|---|
| ||
Webkit based browsers on Mac (safari) and iOS (safair, chome, firefox etc) are currently affected by a bug that treats SameSite=None or SameSite=nonesense cookies as SameSite=Strict (https://bugs.webkit.org/show_bug.cgi?id=198181). We believe the fix for this will only take affect from MacOS 10.15 and iOS 13 (although testing this!). Consequently, any attempt to maintain the current functional behaviour of cookies by setting SameSite=None on unfixed versions of Webkit will break SSO. WE ARE CURRENTLY TESTING THIS, SO THIS MESSAGE MAY CHANGE. |
Implementation
Following on from IdP SameSite Testing, here we describe a new Servlet Filter (SameSiteSessionCookieFilter
) for appending the same-site cookie flag to specified cookies. The SameSiteSessionCookieFilter
wraps the HttpResponse with a SameSiteResponseProxy
proxy. The proxy overrides the getWriter
, sendError
, getOutputStream
, and sendRedirect Response
methods such that any attempt from a Servlet to commit a response back to the client invokes the 'append same site attribute' logic over the current set of Set-Cookie
headers.
...