SameSite cookie in Java application

java cookies csrf flags
Michal_Szulc picture Michal_Szulc · Mar 10, 2017 · Viewed 40.5k times · Source

Do you know any Java cookie implementation which allows to set a custom flag for cookie, like SameSite=strict? It seems that javax.servlet.http.Cookie has a strictly limited set of flags which can be added.

Answer

kriegaex picture kriegaex · Mar 30, 2017

I am not a JEE expert, but I think that because that cookie property is a somewhat new invention, you cannot expect it to be present in Java EE 7 interfaces or implementations. The Cookie class is missing a setter for generic properties, as it seems. But instead of adding the cookie to your HttpServletResponse via 

response.addCookie(myCookie)

you can simply set the corresponding HTTP header field via 

response.setHeader("Set-Cookie", "key=value; HttpOnly; SameSite=strict")

Update: Thanks to @mwyrzyk for pointing out that setHeader() overwrites all existing headers of the same name. So if you happen have other Set-Cookie headers in your response already, of course you would use addHeader() with the same parameters instead.

Related questions

How do you remove a Cookie in a Java Servlet

How do you remove a cookie in a Java servlet? I tried this: http://www.jguru.com/faq/view.jsp?EID=42225 EDIT: The following now works successfully it appears to be the combination of: response.setContentType("text/html"); and cookie.…

Read More
How do you configure HttpOnly cookies in tomcat / java webapps?

After reading Jeff's blog post on Protecting Your Cookies: HttpOnly. I'd like to implement HttpOnly cookies in my web application. How do you tell tomcat to use http only cookies for sessions?

Read More
How do I make an http request using cookies on Android?

I'd like to make an http request to a remote server while properly handling cookies (eg. storing cookies sent by the server, and sending those cookies when I make subsequent requests). It'd be nice to preserve any and all cookies, …

Read More