New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
server.servlet.session.cookie.same-site isn't applied to Spring Session's SESSION cookie #28772
Comments
Setting |
Thanks for trying that out, @OrangeDog. It doesn't work as I misdiagnosed the cause here. It's actually simpler than I thought and we just need to map the property onto Spring Session's @Bean
DefaultCookieSerializer cookieSerializer(ServerProperties serverProperties,
ObjectProvider<DefaultCookieSerializerCustomizer> cookieSerializerCustomizers) {
Cookie cookie = serverProperties.getServlet().getSession().getCookie();
DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
map.from(cookie::getName).to(cookieSerializer::setCookieName);
map.from(cookie::getDomain).to(cookieSerializer::setDomainName);
map.from(cookie::getPath).to(cookieSerializer::setCookiePath);
map.from(cookie::getHttpOnly).to(cookieSerializer::setUseHttpOnlyCookie);
map.from(cookie::getSecure).to(cookieSerializer::setUseSecureCookie);
map.from(cookie::getMaxAge).asInt(Duration::getSeconds).to(cookieSerializer::setCookieMaxAge);
map.from(cookie::getSameSite).as(SameSite::attributeValue).to(cookieSerializer::setSameSite);
cookieSerializerCustomizers.orderedStream().forEach((customizer) -> customizer.customize(cookieSerializer));
return cookieSerializer;
} |
That’s what I already do, but with |
@wilkinsona I just saw this issue and wanted to leave the same comment as you did in the meantime. Anyway, if no one is working on this, I prepared the branch with changes to address this so I can proceed to submit the PR fairly soon. But this could also be a nice issue for first-timers so I'll let you decide. |
…lizer This commit adds the mapping of `server.servlet.session.cookie.same-site` configuration property to `DefaultCookieSerializer` bean configured in the Spring Session auto-configuration. See spring-projectsgh-28772
As there was no feedback on the previous comment, I've opened #28784 to address this. |
As reported by @OrangeDog on Gitter, there's an unfortunate mismatch between Servlet's default cookie name (
JSESSIONID
) and Spring Session's default cookie name (SESSION
). This mismatch means that theserver.servlet.session.cookie.same-site
property has no effect when using Spring Session. I think that settingserver.servlet.session.cookie.name=SESSION
will gets things working. We should confirm that this is the case and also see if there's something that we can do so that this works out of the box.The text was updated successfully, but these errors were encountered: