B4J Question SameSite=strict

tchart

Well-Known Member
Licensed User
Longtime User
On B4J Server/jServer I need to turn on SameSite = strict for cookies.

"By default Jetty uses lenient cookie security settings. In order to harden and to mitigate cross-site request forgery (CSRF) attacks, it is useful to set the SameSite=strict cookie flag. This is particularly recommended if the JSESSIONID cookie is also used directly or indirectly for authentication purposes."

Ive tried this code below but it has no affect.

B4X: 
Sub setSameSite()
    Dim jo As JavaObject = webserver
    jo.GetFieldJO("server").RunMethod("stop", Null)
    jo.GetFieldJO("context").RunMethodJO("getSessionHandler", Null).RunMethodJO("getSessionCookieConfig", Null).RunMethod("setComment", Array("__SAME_SITE_STRICT__"))   
    jo.GetFieldJO("server").RunMethod("start", Null)
End Sub

The session cookie still shows no tick under SameSite.



If I try this without the stop/start I get this error;

Caused by: java.lang.IllegalStateException: CookieConfig cannot be set after ServletContext is started

So I think this is the right code but perhaps not supported on our version of Jetty?

Any ideas?
 
Sort by date Sort by votes

KMatle

Expert
Licensed User
Longtime User
Maybe not relevant, but are you using "localhost" as an address? If yes, use a real ip-address.
 
Upvote 0
P

prajinpraveen

Active Member
Licensed User
Longtime User
Apologies to bump the old thread.

Were you able to get this working. I am facing the same issue

joServer.GetFieldJO("context").RunMethodJO("getSessionHandler", Null).RunMethodJO("getSessionCookieConfig", Null).RunMethod("setComment", Array("__SAME_SITE_STRICT__"))

This doesnt seem to have any effect

thank you
 
Upvote 0

tchart

Well-Known Member
Licensed User
Longtime User
Hi apologies @prajinpraveen, I forgot to reply

Yes for jServer 3 at least this is the workaround. It does require a server stop/start. Basically what its doing is appending the value to the session cookie. This is a known workaround I found on a Jetty forum.

IMPORTANT NOTE - you need to call this after webserver.Start

B4X: 
Sub setSameSite()
    Dim jo As JavaObject = webserver
    jo.GetFieldJO("server").RunMethod("stop", Null)
    jo.GetFieldJO("context").RunMethodJO("getSessionHandler", Null).RunMethodJO("getSessionCookieConfig", Null).RunMethod("setPath", Array("/;SameSite=strict"))  
    jo.GetFieldJO("server").RunMethod("start", Null)
End Sub
 
Upvote 0
You must log in or register to reply here.

Similar Threads

  • Article
B4J Tutorial How to Install an SSL Certificate in B4J Server (Jetty)
Replies
1
Views
2K
aminoacid
  • Article
B4J Code Snippet Change (or hide) TableView "No content in table" text
Replies
0
Views
1K
LucaMs
  • Article
B4J Library CodeMirror wrapper and example
2
Replies
31
Views
6K
Nokia
  • Question
B4J Question Access to 3rd party libs with jna?
Replies
5
Views
2K
moster67
T
  • Question
B4J Question difference between debug an releas with special char in Database
Replies
3
Views
1K
KMatle
Menu
Log in
Register
Cookies are required to use this site. You must accept them to continue using the site. Learn more…