On B4J Server/jServer I need to turn on SameSite = strict for cookies.
"By default Jetty uses lenient cookie security settings. In order to harden and to mitigate cross-site request forgery (CSRF) attacks, it is useful to set the SameSite=strict cookie flag. This is particularly recommended if the JSESSIONID cookie is also used directly or indirectly for authentication purposes."
Ive tried this code below but it has no affect.
The session cookie still shows no tick under SameSite.
If I try this without the stop/start I get this error;
Caused by: java.lang.IllegalStateException: CookieConfig cannot be set after ServletContext is started
So I think this is the right code but perhaps not supported on our version of Jetty?
Any ideas?
"By default Jetty uses lenient cookie security settings. In order to harden and to mitigate cross-site request forgery (CSRF) attacks, it is useful to set the SameSite=strict cookie flag. This is particularly recommended if the JSESSIONID cookie is also used directly or indirectly for authentication purposes."
Ive tried this code below but it has no affect.
B4X:
Sub setSameSite()
Dim jo As JavaObject = webserver
jo.GetFieldJO("server").RunMethod("stop", Null)
jo.GetFieldJO("context").RunMethodJO("getSessionHandler", Null).RunMethodJO("getSessionCookieConfig", Null).RunMethod("setComment", Array("__SAME_SITE_STRICT__"))
jo.GetFieldJO("server").RunMethod("start", Null)
End Sub
The session cookie still shows no tick under SameSite.
If I try this without the stop/start I get this error;
Caused by: java.lang.IllegalStateException: CookieConfig cannot be set after ServletContext is started
So I think this is the right code but perhaps not supported on our version of Jetty?
Any ideas?