https://bz.apache.org/bugzilla/show_bug.cgi?id=64921
Bug ID: 64921
Summary: LoadBalancerDrainingValve does not honour "Secure
Session Cookie" settings
Product: Tomcat 9
Version: 9.0.39
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: apa...@akurth.de
Target Milestone: -----
With Chrome browsers a redirection loop will be triggered when all of the
following conditions apply:
* sameSiteCookies=none attribute has been set at the CookieProcessor
* LoadBalancerDrainingValve has been activated
* Site is called with timed out session
Reason: LoadBalancerDrainingValve tries to reset the JSESSIONID cookie. It adds
"SameSite=None" as expected. But no matter what is configured for the "Secure
Session Cookie" setting, it will never add the "Secure" attribute, too. Since
Chrome does not accept "SameSite=None" without "Secure", it will reject the
cookie, which will then be sent again and again in a redirection loop.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
