Same-Site flag for session cookie in Spring Security

Question

Welcome To Ask or Share your Answers For Others

Same-Site flag for session cookie in Spring Security

1 Reply

深蓝 · Answer 1 · 2021-10-16T23:34:26+0000

New Tomcat version support SameSite cookies via TomcatContextCustomizer. So you should only customize tomcat CookieProcessor, e.g. for Spring Boot:

@Configuration
public class MvcConfiguration implements WebMvcConfigurer {
    @Bean
    public TomcatContextCustomizer sameSiteCookiesConfig() {
        return context -> {
            final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();
            cookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue());
            context.setCookieProcessor(cookieProcessor);
        };
    }
}

For SameSiteCookies.NONE be aware, that cookies are also Secure (SSL used), otherwise they couldn't be applied.

By default since Chrome 80 cookies considered as SameSite=Lax!

See SameSite Cookie in Spring Boot and SameSite cookie recipes.

For nginx proxy it could be solved easily in nginx config:

if ($scheme = http) {
    return 301 https://$http_host$request_uri;
}

proxy_cookie_path / "/; secure; SameSite=None";

Categories

Same-Site flag for session cookie in Spring Security

Same-Site flag for session cookie in Spring Security

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags