Same-Site flag for session cookie in Spring Security

by

New Tomcat version support SameSite cookies via TomcatContextCustomizer. So you should only customize tomcat CookieProcessor, e.g. for Spring Boot:

@Configuration
public class MvcConfiguration implements WebMvcConfigurer {
    @Bean
    public TomcatContextCustomizer sameSiteCookiesConfig() {
        return context -> {
            final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();
            cookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue());
            context.setCookieProcessor(cookieProcessor);
        };
    }
}

For SameSiteCookies.NONE be aware, that cookies are also Secure (SSL used), otherwise they couldn’t be applied.

By default since Chrome 80 cookies considered as SameSite=Lax!

See SameSite Cookie in Spring Boot and SameSite cookie recipes.

For nginx proxy it could be solved easily in nginx config:

if ($scheme = http) {
    return 301 https://$http_host$request_uri;
}

proxy_cookie_path / "/; secure; SameSite=None";

UPDATE from @madbreaks:
proxy_cookie_flags iso proxy_cookie_path

proxy_cookie_flags ~ secure samesite=none;

More Related Contents:

  1. Cross-Domain Cookies
  2. Cookies on localhost with explicit domain
  3. Where to store JWT in browser? How to protect against CSRF?
  4. Fetch API with Cookie
  5. Why is it common to put CSRF prevention tokens in cookies?
  6. Safari doesn’t set Cookie but IE / FF does
  7. SameSite warning Chrome 77
  8. Setting a cookie using JavaFX’s WebEngine/WebView
  9. How does Facebook set cross-domain cookies for iFrames on canvas pages?
  10. Why won’t asp.net create cookies in localhost?
  11. Preventing CSRF with the same-site cookie attribute
  12. Spring Security 3.2 CSRF support for multipart requests
  13. What is the maximum size of a cookie, and how many can be stored in a browser for each web site?
  14. Spring CSRF token does not work, when the request to be sent is a multipart request
  15. How cookies work?
  16. Can two different browser share one cookie?
  17. Send cookies with curl
  18. IE8 losing session cookies in popup windows
  19. how to disable cookies using webdriver for Chrome and FireFox JAVA
  20. Cookie path and its accessibility to subfolder pages
  21. How do I access HttpContext in Server-side Blazor?
  22. How to set SameSite and Secure attribute to JSESSIONID cookie
  23. Safari not sending cookie even after setting SameSite=None; Secure
  24. Sending cookies with postman
  25. What is a host only cookie?
  26. How to add a cookie to the cookiejar in python requests library
  27. Yahoo Finance Historical data downloader url is not working
  28. Cookies Only set in Chrome – not set in Safari, Mobile Chrome, or Mobile Safari
  29. When does a cookie with expiration time ‘At end of session’ expire?
  30. How to handle expired access token in asp.net core using refresh token with OpenId Connect

Leave a Comment