B4J Question SameSite=strict

tchart

Well-Known Member
Licensed User
Longtime User
On B4J Server/jServer I need to turn on SameSite = strict for cookies.

"By default Jetty uses lenient cookie security settings. In order to harden and to mitigate cross-site request forgery (CSRF) attacks, it is useful to set the SameSite=strict cookie flag. This is particularly recommended if the JSESSIONID cookie is also used directly or indirectly for authentication purposes."

Ive tried this code below but it has no affect.

B4X:
Sub setSameSite()
    Dim jo As JavaObject = webserver
    jo.GetFieldJO("server").RunMethod("stop", Null)
    jo.GetFieldJO("context").RunMethodJO("getSessionHandler", Null).RunMethodJO("getSessionCookieConfig", Null).RunMethod("setComment", Array("__SAME_SITE_STRICT__"))   
    jo.GetFieldJO("server").RunMethod("start", Null)
End Sub

The session cookie still shows no tick under SameSite.

1604886335085.png


If I try this without the stop/start I get this error;

Caused by: java.lang.IllegalStateException: CookieConfig cannot be set after ServletContext is started

So I think this is the right code but perhaps not supported on our version of Jetty?

Any ideas?
 

prajinpraveen

Active Member
Licensed User
Longtime User
Apologies to bump the old thread.

Were you able to get this working. I am facing the same issue

joServer.GetFieldJO("context").RunMethodJO("getSessionHandler", Null).RunMethodJO("getSessionCookieConfig", Null).RunMethod("setComment", Array("__SAME_SITE_STRICT__"))

This doesnt seem to have any effect

thank you
 
Upvote 0

tchart

Well-Known Member
Licensed User
Longtime User
Apologies to bump the old thread.

Were you able to get this working. I am facing the same issue

joServer.GetFieldJO("context").RunMethodJO("getSessionHandler", Null).RunMethodJO("getSessionCookieConfig", Null).RunMethod("setComment", Array("__SAME_SITE_STRICT__"))

This doesnt seem to have any effect

thank you
Hi apologies @prajinpraveen, I forgot to reply

Yes for jServer 3 at least this is the workaround. It does require a server stop/start. Basically what its doing is appending the value to the session cookie. This is a known workaround I found on a Jetty forum.

IMPORTANT NOTE - you need to call this after webserver.Start

B4X:
Sub setSameSite()
    Dim jo As JavaObject = webserver
    jo.GetFieldJO("server").RunMethod("stop", Null)
    jo.GetFieldJO("context").RunMethodJO("getSessionHandler", Null).RunMethodJO("getSessionCookieConfig", Null).RunMethod("setPath", Array("/;SameSite=strict"))  
    jo.GetFieldJO("server").RunMethod("start", Null)
End Sub
 
Upvote 0
Top