Is it possible to set Same-site Cookie flag in Spring Security?
And if not, is it on a roadmap to add support, please? There is already support in some browsers (i.e. Chrome).
From spring boot version 2.6. + you may specify your samesite cookie either programatically or via configuration file. This should be the answer for 2022. Upper will cause Spring to bind the attribute into org.
Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers. The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context.
Developers must use a new cookie setting, SameSite=None , to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections.
Enable the new SameSite behavior If you are running Chrome 91 or newer, you can skip to step 3.) Go to chrome://flags and enable (or set to "Default") both #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure. Restart Chrome for the changes to take effect, if you made any changes.
New Tomcat version support SameSite cookies via TomcatContextCustomizer
. So you should only customize tomcat CookieProcessor, e.g. for Spring Boot:
@Configuration public class MvcConfiguration implements WebMvcConfigurer { @Bean public TomcatContextCustomizer sameSiteCookiesConfig() { return context -> { final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor(); cookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue()); context.setCookieProcessor(cookieProcessor); }; } }
For SameSiteCookies.NONE
be aware, that cookies are also Secure
(SSL used), otherwise they couldn't be applied.
By default since Chrome 80 cookies considered as SameSite=Lax
!
See SameSite Cookie in Spring Boot and SameSite cookie recipes.
For nginx proxy it could be solved easily in nginx config:
if ($scheme = http) { return 301 https://$http_host$request_uri; } proxy_cookie_path / "/; secure; SameSite=None";
UPDATE from @madbreaks: proxy_cookie_flags iso proxy_cookie_path
proxy_cookie_flags ~ secure samesite=none;
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With