First of all, it is not possible for foo.com to set a cookie that can be read by bar.com. Host-only only protects example.com cookies from being read by bar.example.com. From RFC 6265 regarding setting a cookie and its Domain attribute: If the domain-attribute is non-empty: If the canonicalized request-host does not domain-match the domain-attribute: Ignore … Read more
New Tomcat version support SameSite cookies via TomcatContextCustomizer. So you should only customize tomcat CookieProcessor, e.g. for Spring Boot: @Configuration public class MvcConfiguration implements WebMvcConfigurer { @Bean public TomcatContextCustomizer sameSiteCookiesConfig() { return context -> { final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor(); cookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue()); context.setCookieProcessor(cookieProcessor); }; } } For SameSiteCookies.NONE be aware, that cookies are also Secure … Read more
You can disable for just search engines using this filter, but I’d advise using it for all responses as it’s worse than just search engine unfriendly. It exposes the session ID which can be used for certain security exploits (more info). Tomcat 6 (pre 6.0.30) You can use the tuckey rewrite filter. Example config for … Read more
JSESSIONID cookie is created/sent when session is created. Session is created when your code calls request.getSession() or request.getSession(true) for the first time. If you just want to get the session, but not create it if it doesn’t exist, use request.getSession(false) — this will return you a session or null. In this case, new session is … Read more