Wrong usage of `SameSite` cookie param in `TokenResource`
Closed this issue · 5 comments
When logging in to Main UI , Firefox is printing this warning to the log:
Cookie “X-OPENHAB-SESSIONID” does not have a proper “SameSite” attribute value.
Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”.
This means that the cookie will no longer be sent in third-party contexts.
If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it.
To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Also see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value.
I would like to set SameSite to strict, which is supported by the javax.ws.rs.core.NewCookie (see jakartaee/rest#868) since JakartaEE 3.1, however is the change from the linked PR not available.
How do I found out the version of Jakarta EE in use by core?
@J-N-K May I ask for your help?
Our implementation is provided by org.apache.aries.spec/org.apache.aries.javax.jax.rs-api/1.0.4 which indeed does not contain what you need. Latest PaxWeb now uses jakarta.ws.rs/jakarta.ws.rs-api/2.1.6 which does not contain the extensions as well, however jakarta.ws.rs/jakarta.ws.rs-api/3.1.0 does.
Hmm okay.
Is there a way to get jakarta.ws.rs/jakarta.ws.rs-api/3.1.0 without causing dependency trouble? (I guess no)
No, probably not. Because of the namespace change from javax to jakarta it would be very hard. Do you think we can just create a OhCookie implementation ourself (probably on top of NewCookie) which contains the changes in the linked PR?
Should be possible.
What about licensing in this case?
Unfortunately, creating our own cookie implementation doesn't help, because the servlet seems to also need an adjustment. However I found another simple workaround, see #4160.