Same Site Cookie Attribute Feature Request

[davidgoate]

Summary

It would be nice if Spring Security would allow a developer an easy way to set authentication cookies to have the "same-site" attribute.

Although not supported in all browsers it is supported in Chrome, Opera and Android browsers:

• https://tools.ietf.org/html/draft-west-first-party-cookies-07
• https://www.owasp.org/index.php/SameSite

It'd be very nice if I could enable this with the YAML or properties files in a similar way to HTTP only or secure attribute for sessions:

server.session.cookie.secure=true
server.session.cookie.http-only=true

Perhaps like:

server.session.cookie.same-site=strict
server.session.cookie.same-site=lax

[j-white]

👍

[Jaaap]

This is a great idea.
It prevents CSRF attacks if used correctly.

[davidgoate]

I think this would be a really nice feature for spring security to offer but it's been over a year since I asked and hasn't had any traction.

I guess either it's not seen as useful, is being ignored due to lack of cross browser support support or due to it not being part of the non draft spec, or has some deep implementation issues such the underlying servlet API not being compatible. I don't think this is actually part of the official spec yet for state management (https://tools.ietf.org/html/rfc6265) but it does have support in chrome and firefox (https://caniuse.com/#search=same-site).

I guess one could achieve this by manually calling javax.servlet.http.HttpServletResponse.addHeader or similar and building the string yourself although i'd guess it's much more open to being error prone and feels somehow dirty to bypass the built in library semantics.

I guess due to lack of support in IE, Edge or some other browsers with some market share it'd be potentially dangerous to rely on this as the only level of CSRF protection.

Personally I'm still for this feature request, but perhaps those with more knowledge on the subject could weigh in to give opinions on this.

[rwinch]

The problem is that session and the respective Cookie is created by the Servlet Container without any control given to Spring Security. If you have a way we can implement this in a servlet container independent way, please let us know. Using addHeader is not guaranteed to work because the Servlet container manages the creation of the Session and Cookie.

We do have a ticket logged for Spring Session to support it which seems more feasible. See spring-projects/spring-session#1005

[rwinch]

Closing as this is implemented in Spring Session which does have control over the cookie creation

[Jaaap]

Could you possibly give us a pointer where to find this in Spring Session?

[mohsinkerai]

I found this in DefaultCookieSerializer, which comes under org.springframework.session package.

See my StackOverflow answer:
https://stackoverflow.com/a/58487733/5284920