[CXF-9072] NewCookieHeaderProvider does not support SameSite attribute on cookies - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.5.9, 4.0.5, 3.6.4
Fix Version/s: 4.1.0, 3.5.11, 3.6.6, 4.0.7
Component/s: JAX-RS
Labels:
None

Estimated Complexity:
Unknown

Description

ResponseImpl.getCookies (which works via NewCookieHeaderProvider) does not work for cookies using the SameSite attribute.

Example:

System.out.println(new NewCookieHeaderProvider().fromString("Set-Cookie: sessionId=38afes7a8"))
System.out.println(new NewCookieHeaderProvider().fromString("Set-Cookie: sessionId=38afes7a8;Comment=none"))
System.out.println(new NewCookieHeaderProvider().fromString("Set-Cookie: sessionId=38afes7a8;SameSite=none"))

Expected output:

Set-Cookie: sessionId=38afes7a8;Version=1
Set-Cookie: sessionId=38afes7a8;Comment=none;Version=1
Set-Cookie: sessionId=38afes7a8;SameSite=none;Version=1

Current output:

Set-Cookie: sessionId=38afes7a8;Version=1
Set-Cookie: sessionId=38afes7a8;Comment=none;Version=1
SameSite=none;Version=1

Note that the SameSite attribute is mistaken for the cookie name and value.

In addition to explicitly supporting the SameSite attribute, it would be much better if the parser behaved in a forward-compatible manner, at the very least ignoring unknown attributes, or better, keeping them in a general attribute map. (Cf. Jakarta’s `Cookie` class.) See also the current valid Set-Cookie syntax.)

Attachments

Activity

People

Assignee:: Andriy Redko

Reporter:: Petr Kadlec

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Oct/24 11:05

Updated:: Yesterday 14:22