Code Monkey home page Code Monkey logo

Comments (9)

atzoum avatar atzoum commented on July 19, 2024 1

As quarkus-http is based on vert.x you can use the vert.x routing context to set same site cookies, or use Quarkus's same site config mechanism: http://quarkus.io/guides/http-reference#same-site-cookie

Basically it allows you to set the attribute based on a cookie name.

Thank you for the tip, however the relevant vertx extension doesn't handle cookies set by undertow properly, since ResponseWrapper#addCookie is never called from Undertow.

Unfortunately, due to the above, Quarkus' same-site-cookie configuration has no effect to undertow's JSESSIONID session cookie.

After having a closer look into the two HttpServerResponse implementations, maybe a headersEndHandler would be more appropriate to intercept and handle the SameSite attribute of all cookies, which I presume would cover cookies set by undertow as well.

Here is a sample POC implementation, I believe it would make sense to adapt Quarkus' same-site-cookie handling implementation accordingly

public class SameSiteCookieFilter implements Filter {
    private boolean secureCookie;
    private boolean sameSiteNone;
    
    /**
     * {@inheritDoc}
     */
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        secureCookie = ConfigProvider.getConfig().getOptionalValue("http.cookie.secure", Boolean.class).orElse(true);
        sameSiteNone = ConfigProvider.getConfig().getOptionalValue("http.cookie.samesite.none", Boolean.class).orElse(true);
    }
    /**
     * {@inheritDoc}
     */
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        if (sameSiteNone && secureCookie) {
            RoutingContext routingContext = CDI.current().select(CurrentVertxRequest.class).get().getCurrent();
            HttpServerResponse httpServerResponse = routingContext.response();
            HttpServerRequest httpServerRequest = routingContext.request();
            if (SameSiteNoneIncompatibleClientChecker.shouldSendSameSiteNone(httpServerRequest.getHeader(HttpHeaders.USER_AGENT))) {
                CDI.current().select(CurrentVertxRequest.class).get().getCurrent().addHeadersEndHandler(v -> {
                    Map<String, ServerCookie> cookies = extractCookies(httpServerResponse.headers().getAll(HttpHeaders.SET_COOKIE));
                    if (cookies.size() > 0) {
                        httpServerResponse.headers().remove(HttpHeaders.SET_COOKIE);
                        cookies.values().stream().forEach(cookie -> {
                            cookie.setSameSite(CookieSameSite.NONE);
                            cookie.setSecure(true);
                            httpServerResponse.addCookie(cookie);
                        });
                    }
                });
            }
        }
        chain.doFilter(request, response);
    }
    
    private static Map<String, ServerCookie> extractCookies(List<String> cookieHeaders) {
        if (cookieHeaders != null) {
          List<io.netty.handler.codec.http.cookie.Cookie> nettyCookies = cookieHeaders.stream().map(ClientCookieDecoder.STRICT::decode).collect(Collectors.toList());
          Map<String, ServerCookie> cookies = new HashMap<>(nettyCookies.size());
          for (io.netty.handler.codec.http.cookie.Cookie cookie : nettyCookies) {
            ServerCookie ourCookie = new CookieImpl(cookie);
            ourCookie.setChanged(true);
            cookies.put(ourCookie.getName(), ourCookie);
          }
          return cookies;
        } else {
          return new HashMap<>(4);
        }
      }
}

Is there any other way to intercept the response and alter the JSESSIONID cookie?

from quarkus-http.

stuartwdouglas avatar stuartwdouglas commented on July 19, 2024 1

I have opened #97 which backports the upstream Undertow samesite support. Once it is in and released we can integrate it with the existing vert.x config.

from quarkus-http.

stuartwdouglas avatar stuartwdouglas commented on July 19, 2024

As quarkus-http is based on vert.x you can use the vert.x routing context to set same site cookies, or use Quarkus's same site config mechanism: http://quarkus.io/guides/http-reference#same-site-cookie

Basically it allows you to set the attribute based on a cookie name.

from quarkus-http.

rewweRrr avatar rewweRrr commented on July 19, 2024

Hi! We have the same problem with sameSite cookie. I've prepared simple example:

application.yml

quarkus:
    http:
        same-site-cookie:
            testCookie:
                value: strict

TestController

package com.netcracker.cloud.bss.portal.web.api;

import com.netcracker.cloud.bss.portal.constant.UrlConstants;

import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;

@Path("")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public class TestController {

    @GET
    @Path("/test")
    public Response getTest() {
        NewCookie cookie = new NewCookie("testCookie", "value");
        return Response.ok("Test").cookie(cookie).build();
    }
}

As a result sameSite Strict doesn't appear

from quarkus-http.

aelfric avatar aelfric commented on July 19, 2024

Is there any known workaround for this? In my case, the application I am using needs to be loaded in a iframe from another site and can no longer track sessions in the iframe because of the browser's cookie policy.

from quarkus-http.

aelfric avatar aelfric commented on July 19, 2024

It looks like #97 was merged. What are the steps to be able to take advantage of it?

from quarkus-http.

alexlitovsky avatar alexlitovsky commented on July 19, 2024

Is there any known workaround for this? In my case, the application I am using needs to be loaded in a iframe from another site and can no longer track sessions in the iframe because of the browser's cookie policy.

@aelfric A workaround is to handle this in META-INF/undertow-handlers.conf
samesite-cookie(mode=None)

from quarkus-http.

aelfric avatar aelfric commented on July 19, 2024

Sorry just saw this update, but that undertow-handlers workaround doesn't seem to do it for me. I just bumped the quarkus version to 2.15.3 but still not able to get the cookies working as expected.

from quarkus-http.

Related Issues (12)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.