@@ -92,6 +92,7 @@ public class Cookie implements Cloneable, Serializable {
9292 private boolean secure ; // ;Secure ... e.g. use SSL
9393 private int version = 0 ; // ;Version=1 ... means RFC 2109++ style
9494 private boolean isHttpOnly = false ;
95+ private SameSite sameSite = null ;
9596
9697 /**
9798 * Constructs a cookie with the specified name and value.
@@ -422,4 +423,101 @@ public void setHttpOnly(boolean isHttpOnly) {
422423 public boolean isHttpOnly () {
423424 return isHttpOnly ;
424425 }
426+
427+ /**
428+ * Sets the <i>SameSite</i> attribute for this cookie with the provided value.
429+ *
430+ * <p>
431+ * When <code>sameSite</code> is not <code>null</code>, this cookie will have its <code>SameSite</code>
432+ * attribute set with the provided value.
433+ *
434+ * @param sameSite the <i>SameSite</i> attribute's value; may be null if the attribute should not be set
435+ *
436+ * @since Servlet 5.0
437+ */
438+ public void setSameSite (SameSite sameSite ) {
439+ this .sameSite = sameSite ;
440+ }
441+
442+ /**
443+ * Returns the <i>SameSite</i> attribute associated with this cookie.
444+ *
445+ * @return the <i>SameSite</i> attribute associated with this cookie; may be null to indicate that the attribute
446+ * should not be set
447+ *
448+ * @since Servlet 5.0
449+ */
450+ public SameSite getSameSite () {
451+ return sameSite ;
452+ }
453+
454+ /**
455+ * The available values that can be used with the cookie's <i>SameSite</i> attribute.
456+ */
457+ public enum SameSite {
458+
459+ /**
460+ * This mode effectively disables the protection provided by SameSite cookies.
461+ *
462+ * <p>
463+ * When SameSiteMode is {@literal None}, applications should have additional measures to protect cookies
464+ * from CSRF attacks.
465+ *
466+ * <p>
467+ * Browsers may default to {@link SameSite#LAX} or {@link SameSite#STRICT} when the flag is not
468+ * explicitly set by applications in the Set-Cookie header. Setting the {@literal SameSite} attribute to
469+ * {@literal None} ensures that this default behavior is disabled in browsers.
470+ *
471+ * <p>
472+ * Note that this mode is browser dependent, and browsers may require cookies to have the {@literal Secure}
473+ * attribute to be set at the same time.
474+ */
475+ NONE ("None" ),
476+ /**
477+ * This mode allows sending cookies along for cross-site top level navigation requests.
478+ *
479+ * <p>
480+ * When SameSite is set to {@literal Lax}, the browser is allowed to send the cookie value along with top level
481+ * navigation requests when making requests cross-site.
482+ */
483+ LAX ("Lax" ),
484+ /**
485+ * This mode prevents browsers from sending cookies along with any kind of cross-site requests.
486+ *
487+ * <p>
488+ * When SameSite is set to {@literal Strict}, the browser is not allowed to send the cookie value along with
489+ * cross-site requests.
490+ *
491+ * <p>
492+ * This behaviour could prevent applications seeing the end-user's session when a cross-site navigation
493+ * takes place. To overcome this, applications should consider utilising multiple cookies to keep track of
494+ * sessions.
495+ */
496+ STRICT ("Strict" );
497+
498+ private final String value ;
499+
500+ SameSite (String value ) {
501+ this .value = value ;
502+ }
503+
504+ /**
505+ * Retrieves the {@link SameSite} instance from its String representation.
506+ *
507+ * @param value the String to be converted
508+ * @return the corresponding {@link SameSite} enum
509+ */
510+ public static SameSite fromString (String value ) {
511+ return valueOf (value .toUpperCase (Locale .ENGLISH ));
512+ }
513+
514+ /**
515+ * Gets the literal representation of the same site mode that can be included in Set-Cookie headers.
516+ *
517+ * @return the literal representation of the same site mode
518+ */
519+ public String toLiteral () {
520+ return value ;
521+ }
522+ }
425523}
0 commit comments