±¸±Û Å©·Ò, SSLÀÎÁõ¼ ºñÀû¿ë »çÀÌÆ®ÀÇ ÄíÅ° »ç¿ë Á¦ÇÑ
±¸±Û Å©·Ò, SSLÀÎÁõ¼ ºñÀû¿ë »çÀÌÆ®ÀÇ ÄíÅ° »ç¿ë Á¦ÇÑ
¾È³çÇϼ¼¿ä, ½áÆ®ÄÚ¸®¾ÆÀÔ´Ï´Ù.
±¸±Û Å©·ÒÀÇ 80¹öÀü(2020-02-04 Release)ºÎÅÍ http »çÀÌÆ®¿¡¼ ÄíÅ°(Cookie) »ç¿ëÀÌ Á¦Çѵ˴ϴÙ.
ÄíÅ°ÀÇ SameSite ¼Ó¼º Default°ªÀÌ None¿¡¼ ¡®Lax¡¯ ·Î º¯°æ µÇ¸é¼ ±âÁ¸¿¡ ¿¬µ¿ÇÏ¿© »ç¿ë ÁßÀÌ´ø 3rd Party ½Ã½ºÅÛÀ̳ª ƯÈ÷ °áÁ¦ ¸ðµâ µî¿¡ ¹®Á¦°¡ »ý±æ ¼ö ÀÖ½À´Ï´Ù.
(»çÀÌÆ®¿¡¼ °áÁ¦(PG) ¸ðµâÀ» »ç¿ëÇÏ´Â °æ¿ì, »çÀÌÆ®¿Í °áÁ¦»çÀÇ µµ¸ÞÀÎÀÌ ´Ù¸£±â ¶§¹®¿¡ ¹®Á¦°¡ ¹ß»ýÇÒ ¿©Áö°¡ ÀÖ½À´Ï´Ù.)
±âÁ¸¿¡´Â ÄíÅ°¸¦ Á¦°øÇÑ »çÀÌÆ®¿Í ÄíÅ°¸¦ »ç¿ëÇÏ°íÀÚ ÇÏ´Â ¿ÜºÎ »çÀÌÆ®ÀÇ µµ¸ÞÀÎ ÁÖ¼Ò°¡ ´Ù¸£´õ¶óµµ Á¦ÇѵǴ ºÎºÐÀÌ ¾ø¾î ¼·Î ÄíÅ°¸¦ °øÀ¯ÇÒ ¼ö ÀÖ¾úÀ¸³ª(SameSite=None),
ÄíÅ°ÀÇ ±âº» Á¤Ã¥ÀÌ SameSite=Lax·Î º¯°æµÇ¸é µ¿ÀÏÇÑ µµ¸ÞÀÎÀ» °¡Áø »çÀÌÆ®¿¡¼¸¸ »ç¿ëµÇµµ·Ï ÄíÅ° »ç¿ëÀÌ Á¦ÇѵǸç ÀϺΠ¿¹¿ÜÀûÀÎ »óȲ(HTTP Get Method , a href µî)¿¡¼¸¸ ÄíÅ° »ç¿ëÀÌ °¡´ÉÇÕ´Ï´Ù.
»çÁø : a.com »çÀÌÆ®¿Í b.com »çÀÌÆ®¿¡¼ ÄíÅ°¸¦ °øÀ¯ÇÏ¿© »ç¿ëÇÏ´Â ¸ð½À
º¯°æµÈ Á¤Ã¥¿¡ ¸Â°Ô »çÀÌÆ®ÀÇ À¯Áöº¸¼ö³ª °³¹ßÀÌ ¾î·Á¿î °æ¿ì´Â?
±¸±ÛÀº ¿ÀÁ÷ httpsÀ¸·Î ¿î¿µµÇ´Â »çÀÌÆ®¸¸ SameSite=None Á¤Ã¥À» °è¼Ó »ç¿ëÇÒ ¼ö ÀÖ´Ù°í ¹ßÇ¥Çß½À´Ï´Ù.
µû¶ó¼ SameSite=NoneÀ¸·Î °è¼Ó »ç¿ëÇØ¾ß ÇÏ´Â °æ¿ì¿¡´Â ¹Ýµå½Ã SSL ÀÎÁõ¼¸¦ »ç¿ëÇØ¾ß ÇÕ´Ï´Ù.
¸¸¾à SSL ÀÎÁõ¼¸¦ Àû¿ëÇÏ¿´°í À¥ ¼¹ö¿¡¼ ÇØ´ç ÄíÅ° Á¤Ã¥À» ÀÏ°ýÀûÀ¸·Î NoneÀ¸·Î Àû¿ëÇÏ·Á¸é ´ÙÀ½°ú °°Àº ¹æ¹ýÀ» ÅëÇØ °¡´ÉÇÕ´Ï´Ù.
1. Apache ¼³Á¤
A. httpd.conf µîÀÇ conf ÆÄÀÏ¿¡¼ ¾Æ·¡¿Í °°ÀÌ Çì´õ °ªÀ» ¼öÁ¤ÇÕ´Ï´Ù.
Header always edit Set-Cookie (.*) "$1; Secure SameSite=None;" |
2. NginX ¼³Á¤
A. nginx.conf µîÀÇ conf ÆÄÀÏ¿¡¼ ¾Æ·¡¿Í °°ÀÌ °ªÀ» ¼öÁ¤ÇÕ´Ï´Ù.
location / { # your usual config ... # hack, set all cookies to secure, httponly and samesite (strict or lax) proxy_cookie_path / "/; secure; SameSite=None"; } |
3. Tomcat ¼³Á¤
A. Tomcat 8.5 À̻󿡼´Â Cookie Processor Component ¸¦ ÀÌ¿ëÇÏ¿© ÄíÅ° ¼Ó¼ºÀ» Á¤ÀÇÇÒ ¼ö ÀÖ½À´Ï´Ù.
B. context.xml ÆÄÀÏÀ» ¼öÁ¤ÇÕ´Ï´Ù.
<Context> ... <CookieProcessor sameSiteCookies="none"/> </Context> |
ÀÚ¼¼ÇÑ ¼³Á¤ ¹æ¹ý ¹× Ãâó : https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html
4. IIS ¼³Á¤
A. IIS ¿¡ Rewrite ¸ðµâÀ» ¼³Ä¡ÇÕ´Ï´Ù. (https://www.iis.net/downloads/microsoft/url-rewrite)
B. web.config ÆÄÀÏ¿¡ ´ÙÀ½°ú °°ÀÌ ¼³Á¤ÇÕ´Ï´Ù. (¿¹½Ã ÀÔ´Ï´Ù.)
<rewrite> <outboundRules> <rule name="AddSameSiteCookieFlag"> <match serverVariable="RESPONSE_Set-Cookie" pattern="^(.*)(CFID|CFTOKEN|JSESSIONID)(=.*)$" /> <action type="Rewrite" value="{R:0};SameSite=lax" /> </rule> </outboundRules> </rewrite> |
ÀÚ¼¼ÇÑ ¼³Á¤ ¹æ¹ý ¹× Ãâó : https://www.petefreitag.com/item/850.cfm
°¨»çÇÕ´Ï´Ù.
# Âü°íÀÚ·á ¹× Ãâó
https://tomcat.apache.org/tomcat-8.5-doc/config/cookie-processor.html
https://www.iis.net/downloads/microsoft/url-rewrite