Setting jsessonid cookie to SameSite=Strict attribute in spring boot?

Question

What is the spring-boot configuration to set jsessionId cookie as SameSite=Strict.

JsessionId need to add SameSite=Strict or existing cookie not new cookie generation.Is it support?

Answer 1

I used Rfc6265CookieProcessor to configure SameSite flag in the spring boot application as a workaround.

build.gradle:

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-tomcat'
    ...
}

Config in the main class:

@Bean
public ServletWebServerFactory servletContainer() {
    return new TomcatServletWebServerFactory() {
        @Override
        protected void postProcessContext(Context context) {
            Rfc6265CookieProcessor rfc6265CookieProcessor = new Rfc6265CookieProcessor();
            rfc6265CookieProcessor.setSameSiteCookies("Strict");
            context.setCookieProcessor(rfc6265CookieProcessor);
        }
    };
}

Answer 2

With Undertow 2.1.0.Final and later you can do it like this:

public static final String COOKIE_PATTERN = "JSESSIONID";

@Bean
public UndertowServletWebServerFactory undertowServletWebServerFactory() {
    UndertowServletWebServerFactory undertow = new UndertowServletWebServerFactory();
    
    undertow.addDeploymentInfoCustomizers(
            deploymentInfo -> deploymentInfo.addInitialHandlerChainWrapper(
                    handler -> new SameSiteCookieHandler(handler, CookieSameSiteMode.STRICT.name(), COOKIE_PATTERN)
            ));
    
    return undertow;
}