A couple of weeks ago we released Undertow 2.1.0.Final, and now it is part of the new WildFly 19.1.0.Final!
Undertow 2.1.0.Final comes with a new predicate handler: samesite-cookie.
This handler can be used to automatically add the
SameSite attribute to cookies in your application, making it compatible with the latest draft for Incrementally Better Cookies spec.
Several clients support the new spec, and that means that your cookies without a
SameSite attribute will be treated like a
SameSite=Lax cookie, limiting your cookie to be sent to same-site requests and top-level cross-site navigations as specificed here. Whether this is the desired behavior for your cookie or if you want it to have one of the other two values for
Strict), it is a good practice to explicitly define the
SameSite attribute in your cookies. This can be achieved via
The handler can be used in the same way any other predicate handler, in the form
The predicate above will apply
SameSite=None attribute to all cookies set when handling requests to the path
None is not supported by all clients the handler applies a client checker that skips the attribute if the client is not compatible.
This client check is enabled by default, but can be explicitly enabled or disabled via
Session 3.2 of Incrementally Better Cookies also makes it mandatory for cookies that have
SameSite=None to have the
Secure attribute. This is done automatically by the handler unless
add-secure-for-none=false parameter is specified.
Finally, the handler can be used in a finer grained way if desired, via the optional
cookie-pattern parameter, that expects a cookie name regex. The example below adds
SameSite=Lax to all cookies whose name start with
Besides the new handler, we have added several fixes to the project and updated dependencies to the latest.
A full list of Jiras can be viewed here. I hope you all enjoy the new Undertow release!