Modifying/adding cookie attributes on the fly?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Modifying/adding cookie attributes on the fly?

Martin Knoblauch
Hi,

 we have the following setup: Apache/httpd->mod_jk_>Apache/Tomcat. "httpd" and "mod_jk" are recent versions, Tomcat is 9.0.12 and cannot be upgraded. We also have only very limited influence on the application hosted there.

 Problem is that the Cookies sent by the application do not have the "SameSite" attribute set. So far not a big deal, but with newer browsers we get POST failures because instead of assuming a value of "None" for the unset attribute they now assume/set "Lax".

 Ideally the application could be changed to do "the right thing", or we could tell the Tomcat CookieProcessor to set the attribute to "None". Unfortunately not possible. See above.

 Now my question is, is there a trick to do that with "httpd" or a module? Check whether the attribute is set, if not add it to the cookie?

Thanks in advance
Martin
--
------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de
Reply | Threaded
Open this post in threaded view
|

Re: Modifying/adding cookie attributes on the fly?

Christophe JAILLET
Le 27/08/2020 à 09:11, Martin Knoblauch a écrit :

> Hi,
>
>   we have the following setup: Apache/httpd->mod_jk_>Apache/Tomcat.
> "httpd" and "mod_jk" are recent versions, Tomcat is 9.0.12 and cannot be
> upgraded. We also have only very limited influence on the application
> hosted there.
>
>   Problem is that the Cookies sent by the application do not have the
> "SameSite" attribute set. So far not a big deal, but with newer browsers
> we get POST failures because instead of assuming a value of "None" for
> the unset attribute they now assume/set "Lax".
>
>   Ideally the application could be changed to do "the right thing", or
> we could tell the Tomcat CookieProcessor to set the attribute to "None".
> Unfortunately not possible. See above.
>
>   Now my question is, is there a trick to do that with "httpd" or a
> module? Check whether the attribute is set, if not add it to the cookie?
>
> Thanks in advance
> Martin
> --
> ------------------------------------------------------
> Martin Knoblauch
> email: k n o b i AT knobisoft DOT de
> www: http://www.knobisoft.de

Hi,
Cookies are just header fields.

Have you already looked at the Header directive of mod_alias [1]?

CJ

[1]: https://httpd.apache.org/docs/2.4/mod/mod_headers.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]