Menu
I'm unable to set SameSite cookie value to None.
Following is how i'm generating ResponseCookie object.
ResponseCookie cookie = ResponseCookie.from("Hb", cookieUserId)
.maxAge(!isEmpty(cookieUserId) ? MAX_COOKIE_DURATION : 0)
.domain("test.com")
.sameSite("None")
.secure(true)
.path("/")
.build();
response.addCookie(cookie)
Curl request to endpoint
curl -X POST "localhost:8080/v1/user/v" --data "{}" -v -H 'Content-Type: application/json'
Response:
< set-cookie: Hb=00b7be31-fc6d-4891-a07c-46b5ef2b423c; Max-Age=7776000; Expires=Fri, 8 Nov 2019 17:23:52 GMT; Path=/; Domain=test.com; Secure
As you can see SameSite attribute is missing from the cookie.
Spring Boot (version: 2.1.3.RELEASE) dependency
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
735
A New Model for Cookie Security and Transparency Developers must use a new cookie setting, SameSite=None , to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections.
Fixing common warnings The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected. To fix this, you will have to add the Secure attribute to your SameSite=None cookies. A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.
The none value won't give any kind of protection. The browser attaches the cookies in all cross-site browsing contexts. The default value of the SameSite attribute differs with each browser, therefore it is advised to explicitly set the value of the attribute.
Cookies with SameSite=None are specifically marked for use in third-party contexts. By requiring SameSite=None cookies to be Secure, users are protected by default from attacks on their identifying data that may compromise their privacy. In addition, non-secure embeds are a risk to users' privacy and security.
I think the issue is that the underlying javax.servlet.http.Cookie does not support the SameSite attribute, let alone the new None value.
Instead you can set this directly as a header, assuming your response is an instance of javax.servlet.http.HttpServletResponse:
ResponseCookie cookie = ResponseCookie.from("Hb", cookieUserId)
.maxAge(!isEmpty(cookieUserId) ? MAX_COOKIE_DURATION : 0)
.domain("test.com")
.sameSite("None")
.secure(true)
.path("/")
.build();
response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString());
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
