Spring: Unable to set SameSite cookie to None

java spring cookies spring-boot samesite

I think the issue is that the underlying javax.servlet.http.Cookie does not support the SameSite attribute, let alone the new None value.

Instead you can set this directly as a header, assuming your response is an instance of javax.servlet.http.HttpServletResponse:

ResponseCookie cookie = ResponseCookie.from("Hb", cookieUserId)
            .maxAge(!isEmpty(cookieUserId) ? MAX_COOKIE_DURATION : 0)
            .domain("test.com")
            .sameSite("None")
            .secure(true)
            .path("/")
            .build();
 response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString());

Here is a solution using your own CookieSerializer bean. You can simply add this to your BootApplication Class: 

@Bean
public CookieSerializer cookieSerializer() {
    DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
    cookieSerializer.setSameSite("None");
    return cookieSerializer;
}

However this will override the default spring session attributes like the session same server.servlet.session.cookie.name and maxAge server.servlet.session.cookie.max-age. So a more complete solution looks like this:

...
@Autowired
private CookieConfiguration cookieConfiguration;

@Bean
public CookieSerializer cookieSerializer() {
    DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
    cookieSerializer.setSameSite("None");
    cookieSerializer.setCookieName(cookieConfiguration.getName());
    cookieSerializer.setDomainName(cookieConfiguration.getDomain());
    cookieSerializer.setCookiePath(cookieConfiguration.getPath());
    cookieSerializer.setUseHttpOnlyCookie(cookieConfiguration.isHttpOnly());
    cookieSerializer.setUseSecureCookie(cookieConfiguration.isSecure());
    cookieSerializer.setCookieMaxAge((Long.valueOf(cookieConfiguration.getMaxAge().toSeconds())).intValue());
    // TODO check if rememberMeServices need additional configuration here

    return cookieSerializer;
}

And the Configuration Class. 

@ConfigurationProperties(prefix = "server.servlet.session.cookie")
@Configuration("cookieProperties")
@Getter
@Setter
public class CookieConfiguration {

    private String comment;
    private String domain;
    private boolean httpOnly;
    private Duration maxAge;
    private String name;
    private String path;
    private boolean secure;

}

I'm not sure if there is a better solution to apply the configuration properties and only override the samesite attribute. I can imagine in a future spring boot version this option/property will be included. Also as you see in the TODO code comment I did not test this solution with active remember-me services. The solution was tested in spring boot version 2.1.6.RELEASE and inspire from the code found in org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.class.


You can configure SameSite via TomcatContextCustomizer:

@Configuration
public class MvcConfiguration implements WebMvcConfigurer {

  @Bean
  public TomcatContextCustomizer sameSiteCookiesConfig() {
    return context -> {
        final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();
        cookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue());
        context.setCookieProcessor(cookieProcessor);
    };
  }

Cookies for cross-site usage must specify SameSite=None; Secure to enable inclusion in third party context (https://web.dev/samesite-cookie-recipes/).

Related

Finding difference within grouped dataframe in python
Access position of grid layout in tkinter
Comma separated list in Liquid
How to prevent DDoS attack on Google Cloud Storage
windows server 2012 resolution woes with vga
Should Cat6 cables be used for servers ('important hosts') rather than Cat5-E?
How to automate slipstream?
Which DHCP Client OS Support DHCP Option 119 Domain Suffix Search?
ldap force user to change password
IPv6 DHCP Configuration
Understanding virtual memory usage > swap + physical on Linux
Cannot ping over LAN until a ping is received