I can't reproduce this using the standard jetty distro and the standard test webapp that just creates a session via HttpServletRequest.getSession(true), and the web.xml snippet you provided. I tried both 9.4.38 and the latest release and both result in a response with the correct Set-Cookie:
Content-Length: 0 Expires: Thu, 01 Jan 1970 00:00:00 GMT Location: http://localhost:8080/test/session/;jsessionid=node01ggldqpcbwnmpvb21biv2gceb0.node0?R=0 Server: Jetty(9.4.38.v20210224) Set-Cookie: visited=yes Set-Cookie: JSESSIONID=node01ggldqpcbwnmpvb21biv2gceb0.node0; Path=/test; Secure; HttpOnly; SameSite=Strict Some questions for you: Are you sure you don't have any code that would interfere with the setCookie? Are you setting this web snippet in a web.xml, or a web-fragment.xml or a web-override.xml? Is this response being generated directly from jetty or is this via some other middleware that fonts it (apache, haproxy etc etc?)? When is this session created? Is it created by your code, or is it created by jetty implicitly via a form login? Did a session already exist when the form login occurred? Jan On Thu, 15 Jul 2021 at 04:02, Sai Sankar Challa via jetty-users < [email protected]> wrote: > Sorry for snipped images. > > > > *Here is the configuration added in web.xml* > > > > <session-config> > > <cookie-config> > > <http-only>true</http-only> > > <secure>true</secure> > > <comment*>__SAME_SITE_STRICT__*</comment> > > </cookie-config> > > </session-config> > > > > > > *Response Headers* > > HTTP/1.1 200 OK > > Content-Type: text/html;charset=utf-8 > > Set-Cookie: JSESSIONID=node0u99zpkbrxegr59fnxzac8m217.node0; > Path=/dashboard; Secure; HttpOnly > > Expires: Thu, 01 Jan 1970 00:00:00 GMT *//Here expecting SameSite to be > returned* > > Set-Cookie: JSESSIONID=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT; > Max-Age=0 > > X-Frame-Options: DENY > > Referrer-Policy: same-origin > > X-Content-Type-Options: nosniff > > X-XSS-Protection: 1; mode=block > > Content-Security-Policy: default-src 'self' https:; script-src 'self' > 'sha256-jLiclQuK1N1QZInVr4VJp6uKckK7+/GGsba4nme+PRA=' > 'sha256-WcSfBbTthoIIuIdlLvU5spxO2l32y5Nw3Oh4jk4VnBY='; object-src 'self'; > style-src 'self' 'unsafe-inline'; img-src 'self' data:; media-src 'self'; > frame-src 'self'; font-src 'self'; connect-src 'self' > > Strict-Transport-Security: max-age=31536000; includeSubDomains > > Content-Length: 3737 > > > > Thanks > > Sai > > > > *From:* Joakim Erdfelt <[email protected]> > *Sent:* Wednesday, July 14, 2021 10:46 PM > *To:* Sai Sankar Challa <[email protected]> > *Cc:* JETTY user mailing list <[email protected]> > *Subject:* Re: [jetty-users] SameSite to STRICT > > > > You are using browser developer tooling. > > > > What does the raw HTTP Response (that sets the JSESSIONID) look like? > > As in, can you copy/paste the response, in raw form (not in a table, not > post-parsed, not as an image) to this mailing list? > > > Joakim Erdfelt / [email protected] > > > > > > On Wed, Jul 14, 2021 at 11:34 AM Sai Sankar Challa < > [email protected]> wrote: > > Thanks for the response. > > > > I am assuming this done by Jetty Server. > > > > The URL we are trying is the very first URL i.e., login page, post login > we do have filter classes where we are doing some modifications. > > > > Thanks > > Sai > > > > > > *From:* Joakim Erdfelt <[email protected]> > *Sent:* Wednesday, July 14, 2021 9:49 PM > *To:* JETTY user mailing list <[email protected]> > *Cc:* Sai Sankar Challa <[email protected]> > *Subject:* Re: [jetty-users] SameSite to STRICT > > > > What does the actual HTTP Response that created that JSESSIONID look like? > > > Joakim Erdfelt / [email protected] > > > > > > On Wed, Jul 14, 2021 at 11:07 AM Sai Sankar Challa via jetty-users < > [email protected]> wrote: > > Hi Team > > > > We upgraded our Jetty version to 9.4.38.v20210224 and we want to Set > 'SameSite' attribute to 'Strict' in JSESSIONID for our portal security . > > > > We made the code changes as per below in our web.xml and still not seeing > any difference. > > > > <session-config> > > <cookie-config> > > <http-only>false</http-only> > > <secure>false</secure> > > <comment>__SAME_SITE_STRICT__</comment> > > </cookie-config> > > </session-config> > > > > Browser Cookie > > > > > > Can you please through some idea to get this done . > > > > Thanks > > Sai > > > > > > _______________________________________________ > jetty-users mailing list > [email protected] > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users > > _______________________________________________ > jetty-users mailing list > [email protected] > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users > -- Jan Bartel <[email protected]> www.webtide.com *Expert assistance from the creators of Jetty and CometD*
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
