Configure SameSite attribute on session Cookies with Spring Session

[candrews]

Currently, there's no way from application.properties to configure the Spring Session session cookie's SameSite attribute. It would be nice to be able to do that.

For consistency with the existing server.servlet.session.cookie properties, I suggest:
server.servlet.session.cookie.sameSite with a default value of "Lax" (to match Spring Session 2.1's behavior defined in DefaultCookieSerializer). A value of empty string would map to null (which results in DefaultCookieSerializer not setting the SameSite attribute on the cookie).

SessionAutoConfiguration would implement this behavior.

This setting would have no effect when Spring Session is not in use as no servlet containers currently expose a means by which to set the SameSite attribute on their session cookies (support for that can be added as containers gain that ability).

Note that this is likely to be increasingly used as the default session cookie in Spring Session 2.1 has the attribute SameSite=Lax (see spring-projects/spring-session#1005) which breaks SAML login, so anyone using SAML (such as via Spring Security SAML) is going to have to need to change this configuration:

https://groups.google.com/a/chromium.org/d/msg/security-dev/AxY6BpkkH9U/vgKbDm7rFgAJ

As a further enhancement, perhaps if Spring Security SAML is detected, server.servlet.session can be set to null by default instead of "Lax".

[philwebb]

This looks like a sensible addition, but I'd rather scope it specifically to Spring Session rather than make it a general feature. I've no idea if/when javax.servlet.http.Cookie will get the equivalent support and if feels a bit odd that a server.servlet.session.samesite property would just be ignored.

I think we should add it under spring.session.cookie.samesite and probably offer an enum with OFF, STRICT and LAX as values.

[mbhave]

I don't know if it makes sense to just make the sameSite attribute configuration for Spring Session. There are other things that can be configured such as cookieMaxAge etc and we don't have configuration properties for those either under SessionProperties.

[philwebb]

Oh yeah :(

Actually, I'm a little confused as to how you change the sameSite attribute at all. The org.springframework.session.config.annotation.web.http.SpringHttpSessionConfiguration class seems to create a DefaultCookieSerializer then call setters from javax.servlet.SessionCookieConfig. I guess we currently rely on that.

Looks like we'd need to register a CookieSerializer as a bean and do that createDefaultCookieSerializer work ourselves.

[philwebb]

This is turning out to be a bigger feature than just Spring Session I think. We'll need to look across the board at how we should support the option.

Some relevant links:

• spring-projects/spring-framework@09d9450
• [feature request] add support for SameSite cookie attribute netty/netty#6509
• http://mail-archives.apache.org/mod_mbox/tomcat-dev/201806.mbox/%3Cb5cf92e1-01d0-8dff-7a72-6a5080d46543@apache.org%3E
• https://issues.jboss.org/browse/UNDERTOW-1024
• undertow-io/undertow@c40847e

[vpavic]

I can chime in with Spring Session side of things regarding SameSite cookie attribute, and everything around it which might be relevant from the perspective of extending the Spring Session auto-configuration support.

In Spring Session's HttpSession (i.e. Servlet) integration, there is a concept of HttpSessionIdResolver, which is the strategy for correlating incoming HTTP request to session - by default, a cookie based implementation (CookieHttpSessionIdResolver) is used while we also offer header based implementation (HeaderHttpSessionIdResolver) out of the box.

With cookie based implementation, the concept of CookieSerializer comes into play as well. This is the component that's responsible for writing the session cookie, and which the SameSite related configuration property would ultimately be mapped to.

I'm describing all this to make it clear that any extension of Spring Boot's auto-configuration support for Spring Session as requested here would likely have to consider both HttpSessionIdResolver and CookieSerializer.

Spring Session's configuration facilities try to be customization friendly by doing the following things:

• if user registers a bean of type HttpSessionIdResolver, we pick it up and use instead of the default cookie based one
• if user registers a bean of type CookieSerializer, we pick it up and configure the default cookie based HttpSessionIdResolver to use it
• we try to configure the default CookieSerializer based on SessionCookieConfig

So one can customize the SameSite attribute of session cookie registering DefaultCookieSerializer bean with DefaultCookieSerializer#setSameSite set to null (or even go a step further and register the desirable HttpSessionIdResolver bean).

Having said that, the proposed server.servlet.session.samesite doesn't really make sense, as SameSite is cookie related and therefore any property related to it should sit under server.servlet.session.cookie namespace. However, since server.servlet.session.cookie actually maps SessionCookieConfig this would be confusing as Servlet API provides no SameSite support at the moment.

For reactive side of the things, the entire story is completely out of Spring Session's scope as WebSessionIdResolver (which is the equivalent of Spring Session's HttpSessionIdResolver) is actually a part of Spring WebFlux.

Considering that Spring Session's configuration is fairly simple to customize on its own, as well as the complexity the would be required to add to auto-configuration support in Spring Boot (and which would in big part duplicate what Spring Session's own configuration already offers on its own), and that there's no support for SameSite attribute in Servlet API, I'd recommend against making any changes. If Servlet API catches up in some future release and adds support for SameSite, the problem will solve itself as we on Spring Session side would pick up the new property from SessionCookieConfig and configure the default serializer accordingly.

[candrews]

Can we add a SameSite property (the type being an enum having values for lax, strict, and none, defaulting to lax) to SessionCookieConfig now, but have it not do anything for session implementations that don't support the SameSite attribute?

Right now, it's supportable for Spring Session. Support can be added for base servlet, WebFlux, etc as those packages gain SameSite support.

[vpavic]

SessionCookieConfig is a Servlet API thing.