Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SameSite Cookie #1005

Closed
rwinch opened this issue Feb 26, 2018 · 4 comments
Closed

Support SameSite Cookie #1005

rwinch opened this issue Feb 26, 2018 · 4 comments
Assignees
@vpavic
Labels
in: core type: enhancement A general enhancement
Milestone
2.1.0.M1

Comments

@rwinch
Copy link
Member

rwinch commented Feb 26, 2018

We should add support for using SameSite Cookie for session cookie to mitigate CSRF attacks. See https://scotthelme.co.uk/csrf-is-dead/
@rwinch rwinch added this to the 2.1.0.M1 milestone Feb 26, 2018
@richard1122
Copy link

richard1122 commented Apr 23, 2018
edited
Loading

Hi, are there any plans to support SameSite cookie in spring-session 1.x.x ?

@rwinch rwinch mentioned this issue Jun 16, 2018
Closed
@rwinch
Copy link
Member Author

rwinch commented Jul 15, 2018

@richard1122 If someone sent a PR that was passive with tests we would consider it.

@vpavic vpavic self-assigned this Jul 15, 2018
@vpavic vpavic added type: enhancement A general enhancement in: core labels Jul 20, 2018
@vpavic vpavic mentioned this issue Jul 20, 2018
Closed
vpavic added a commit to vpavic/spring-session that referenced this issue Jul 26, 2018
@vpavic
Add support for SameSite cookie directive
9a0b682 
Closes spring-projectsgh-1005
vpavic added a commit to vpavic/spring-session that referenced this issue Jul 27, 2018
@vpavic
Add support for SameSite cookie directive
f9e6bc7 
Closes spring-projectsgh-1005
@vpavic vpavic closed this as completed in 00465a6 Jul 30, 2018
@vpavic vpavic mentioned this issue Aug 3, 2018
Closed
@candrews candrews mentioned this issue Oct 31, 2018
Closed
@jmpavlec
Copy link

jmpavlec commented Sep 17, 2019
edited
Loading

Was this included in a migration guide anywhere or mentioned in the docs? I was not able to find any references about it. Making SameSite=lax for the SESSION cookie as the new default for Spring Session has some implications depending on the browser used. It potentially breaks some cross-domain SSO/SLO functionality that was dependent on the SESSION cookie. Safari also has a bug related to overriding it to be SameSite=none https://bugs.webkit.org/show_bug.cgi?id=198181

More clearly outlined in https://web.dev/samesite-cookies-explained/

Edit: Found it mentioned in release notes: https://spring.io/blog/2018/10/31/spring-session-bean-ga-released

@vpavic
Copy link
Contributor

vpavic commented Sep 27, 2019

You're right @jmpavlec, we should provide some info about SameSite support in our reference manual. I've opened #1517 to take care of that.

If you're facing any issues due to presence of SameSite directive in our session cookie, you could disable it by providing a null value to DefaultCookieSerializer#setSameSite. Note that this requires overriding the default cookie serializer by providing your own DefaultCookieSerializer @Bean.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vpavic vpavic

Labels
in: core type: enhancement A general enhancement
Projects
None yet
Milestone
2.1.0.M1
Development

No branches or pull requests
4 participants
@rwinch @vpavic @richard1122 @jmpavlec