A couple of weeks ago we released Undertow 2.1.0.Final, and now it is part of the new WildFly 19.1.0.Final!

Undertow 2.1.0.Final comes with a new predicate handler: samesite-cookie.

This handler can be used to automatically add the SameSite attribute to cookies in your application, making it compatible with the latest draft for Incrementally Better Cookies spec.

Several clients support the new spec, and that means that your cookies without a SameSite attribute will be treated like a SameSite=Lax cookie, limiting your cookie to be sent to same-site requests and top-level cross-site navigations as specificed here. Whether this is the desired behavior for your cookie or if you want it to have one of the other two values for SameSite (None or Strict), it is a good practice to explicitly define the SameSite attribute in your cookies. This can be achieved via samesite-cookie handler:

The handler can be used in the same way any other predicate handler, in the form predicate→handler:

The predicate above will apply SameSite=None attribute to all cookies set when handling requests to the path /app2. As None is not supported by all clients the handler applies a client checker that skips the attribute if the client is not compatible.

This client check is enabled by default, but can be explicitly enabled or disabled via enable-client-checker parameter:

Session 3.2 of Incrementally Better Cookies also makes it mandatory for cookies that have SameSite=None to have the Secure attribute. This is done automatically by the handler unless add-secure-for-none=false parameter is specified.

Finally, the handler can be used in a finer grained way if desired, via the optional cookie-pattern parameter, that expects a cookie name regex. The example below adds SameSite=Lax to all cookies whose name start with abc:

Besides the new handler, we have added several fixes to the project and updated dependencies to the latest.

A full list of Jiras can be viewed here. I hope you all enjoy the new Undertow release!