It would be helpful if there is a container-wide solution to add the "Partitioned" attribute to the JSESSIONID cookie. This is relevant for webapps embedded in IFrames across domains, typically those which already have CookieProcessor configured for the "SameSite=None" cookie attribute: starting 2024, Google/Chrome will start phasing out third-party cookies, see https://developers.google.com/privacy-sandbox/3pcd See also https://lists.apache.org/thread/f98hm3z7h9z69210zkn6cyg0c9vwjm1s Support for "Partitioned" could take the form of a new CookieProcessor attribute, e.g.: <Context> <CookieProcessor sameSiteCookies="None" partitioned="true" /> </Context> Attribute "partitioned" enables setting the Partitioned attribute: - if value is false then the Partitioned attribute won't be set. This is the default value - if value is true then the Partitioned attribute will be set
I'd be a lot happier adding this if this work was included in the current RFC6265bis work rather than having been deferred until after RFC6265. My concern is primarily that the current approach may change between now and whichever RFC it appears in. Unfortunately, with the CHIPS trial due to start this month, I don't think it is realistic to wait for an agreed RFC before implementing this feature in Tomcat. My intention is to add this feature but with a note in the Javadoc and the configuration docs that it is not final and there may be breaking changes once the feature is finalised in an RFC.
(In reply to Mark Thomas from comment #1) > My intention is to add this feature but with a note in the Javadoc and the > configuration docs that it is not final and there may be breaking changes > once the feature is finalised in an RFC. +1
Fixed in: - 11.0.x for 11.0.0-M16 onwards - 10.1.x for 10.1.18 onwards - 9.0.x for 9.0.85 onwards - 8.5.x for 8.5.98 onwards Note that for 10.1.x onwards use of the partitioned attribute is separately configurable for session cookies. For 9.0.x and earlier, there is just the web application wide setting on the cookie processor.
I tested in both tomcat 8 and 9 latest versions, but still the cookies are not coming as partitioned even though I have provided the below setting in conf/context.xml. anything I am missing here ? <CookieProcessor partitioned="true" sameSiteCookies="none" />
Look at the version numbers. The fixed versions haven't been released yet.
(In reply to Mark Thomas from comment #5) > Look at the version numbers. The fixed versions haven't been released yet. ?? All versions mentioned in comment #3 have been released.
Sorry, you're right. I thought partitioned support was going to be in the Feb releases. The OP needs to follow this up on the users list.
(In reply to notify.bharani from comment #4) > I tested in both tomcat 8 and 9 latest versions, but still the cookies are > not coming as partitioned even though I have provided the below setting in > conf/context.xml. anything I am missing here ? > > <CookieProcessor partitioned="true" sameSiteCookies="none" /> There is likely something wrong on your end. As Mark mentioned in of the other comments, you are recommended to raise this on the Tomcat users list if this is still a problem for you. I just tested it once more using 9.0.85 and I can confirm that the "Partitioned" flag is added once CookieProcessor is configured like you mention.