...
Tomcat's 'workaround' to add SameSite is potentially less configurable by default, as it globally applies to all cookies a single configured same-site value (including the session cookie). This could be extended using a custom CookieProcessor, but as there seems no way to access the HttpRequest, it still may not be suitable for conditionally applying values by user-agent etc.
Tomcat and Jetty Servlet Specification Support
...
| Info |
|---|
This does set the JESSIONID to None when testing the IdP using Jetty 9.4.26. This does indeed break safari in 10.14 (None->Strict). However, as it is not setting the shib_idp_session cookie to None (only the session cookie is affected by this config change), SSO breaks |
Issues:
- There is no way to set a default value if a value is not added to the comments.
- There does not seem to be a way to conditionally add (e.g. by user-agent) this to the session cookie.
- Unstandardized Jetty specific approach.
9.4.27
Tomcat Jetty 9.4.27 added support for setting a global, default, same-site value from the servlet context (servlet context attribute) if not already encoded in the cookie's comment (as above) (Issue #4247 use context default for samesite cookie attribute by janbartel · Pull Request #4512 · eclipse/jetty.project · GitHub)
...