Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Same-Site flag for session cookie in Spring Security

Tags:

cookies

csrf

spring-security

jsessionid

samesite

Is it possible to set Same-site Cookie flag in Spring Security?

And if not, is it on a roadmap to add support, please? There is already support in some browsers (i.e. Chrome).

like image 753
Tomáš Hála Avatar asked Mar 24 '17 11:03

Tomáš Hála

People also ask

How do you set the same site cookie flag in spring boot?

From spring boot version 2.6. + you may specify your samesite cookie either programatically or via configuration file. This should be the answer for 2022. Upper will cause Spring to bind the attribute into org.

Is same site supported cookie flag?

Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers. The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context.

How do you specify cookie SameSite?

Developers must use a new cookie setting, SameSite=None , to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections.

How do you set a SameSite flag?

Enable the new SameSite behavior If you are running Chrome 91 or newer, you can skip to step 3.) Go to chrome://flags and enable (or set to "Default") both #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure. Restart Chrome for the changes to take effect, if you made any changes.

1 Answers

New Tomcat version support SameSite cookies via TomcatContextCustomizer. So you should only customize tomcat CookieProcessor, e.g. for Spring Boot:

@Configuration public class MvcConfiguration implements WebMvcConfigurer {     @Bean     public TomcatContextCustomizer sameSiteCookiesConfig() {         return context -> {             final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();             cookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue());             context.setCookieProcessor(cookieProcessor);         };     } }

For SameSiteCookies.NONE be aware, that cookies are also Secure (SSL used), otherwise they couldn't be applied.

By default since Chrome 80 cookies considered as SameSite=Lax!

See SameSite Cookie in Spring Boot and SameSite cookie recipes.

For nginx proxy it could be solved easily in nginx config:

if ($scheme = http) {     return 301 https://$http_host$request_uri; }  proxy_cookie_path / "/; secure; SameSite=None";

UPDATE from @madbreaks: proxy_cookie_flags iso proxy_cookie_path

proxy_cookie_flags ~ secure samesite=none;
like image 83
Grigory Kislin Avatar answered Sep 22 '22 16:09

Grigory Kislin
Sign in to Comment

Related questions

How do I set a cookie to expire after 1 minute or 30 seconds in Jquery?
Converting cookie string into Python dict
org.openqa.selenium.InvalidCookieDomainException: Document is cookie-averse using Selenium and WebDriver
Can't set cookie 'expires' or 'maxAge' in Node.js using Express 3.0
Unable to set cookies in Selenium Webdriver
.net core 'Response.Cookies.Append' not working as some station
How to make a Python HTTP Request with POST data and Cookie?
JavaScript code for cookie not working in Chrome
Javascript navigator.cookieEnabled Browser Compatibility
How to read response cookies using Alamofire
Can one encrypt with a private key/decrypt with a public key?
Android: How to store cookies?
Using Cookies across Activities when using HttpClient
What is the difference between a cookie and a session in django?
Does a session cookie on different subdomain count as 3rd-party?
Asp.net forms authentication cookie not honoring timeout with IIS7
How to set cookie in Django and then render template?
Passing cookies in NodeJs http request
Mixpanel anonymous user converts to identified user tracking
How to save cookies and load it in another puppeteer session?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!