How to set sameSite cookie in Tomcat's cookie processor?

Question

Tomcat's context.xml defines CookieProcessor (default LegacyCookieProcessor).

Apache Tomcat 9 Configuration Reference

I'm trying to add attribute(s) shown on cookie processor, however that doesn't seems to be working

<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="strict" />

I don't see Tomcat's response header cookie with sameSite attribute being set.

Answer 1

To add on to the current answers, make sure the Tomcat version is exactly one of the releases that recognize samesite e.g. Tomcat 9.0.21. Adding the context to tomcat/conf/context.xml is generally a bad idea because it is not application specific. To define an application specific context you can create the folder path inside Tomcat/conf/{EngineName}/{HostName}/{applicationFileName}.xml. This is equivalent to adding the context to the /META-INF folder. There are several ways to define a context. Reference: https://octopus.com/blog/defining-tomcat-context-paths

Answer 2

Found answer to this :

1. edit tomcat/conf/context.xml
2. update CookieProcessor element on following lines say for setting sameSiteCookies in HTTP response headers's set-cookie.

<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" sameSiteCookies="strict" />

Answer 3

In your web application, inside the META-INF folder create a context.xml file with this inside.

<Context>
   <CookieProcessor sameSiteCookies="strict" />
</Context>

If you already have a context.xml file, you just need to add the CookieProcessor element.

This behavior is possible since Tomcat 9.0.21 and 8.5.42, or 9.0.28 and 8.5.48 if you need to set the attribute to "none".

Merged into Tomcat master on 20th of May 2019 with pull request 162