Configure SameSite attribute on session Cookies with Spring Session #15047
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
This looks like a sensible addition, but I'd rather scope it specifically to Spring Session rather than make it a general feature. I've no idea if/when I think we should add it under |
philwebb
added
type: enhancement
|
I don't know if it makes sense to just make the |
|
Oh yeah :( Actually, I'm a little confused as to how you change the Looks like we'd need to register a |
philwebb
added
status: on-hold
|
This is turning out to be a bigger feature than just Spring Session I think. We'll need to look across the board at how we should support the option. Some relevant links:
|
|
I can chime in with Spring Session side of things regarding In Spring Session's With cookie based implementation, the concept of I'm describing all this to make it clear that any extension of Spring Boot's auto-configuration support for Spring Session as requested here would likely have to consider both Spring Session's configuration facilities try to be customization friendly by doing the following things:
So one can customize the Having said that, the proposed For reactive side of the things, the entire story is completely out of Spring Session's scope as Considering that Spring Session's configuration is fairly simple to customize on its own, as well as the complexity the would be required to add to auto-configuration support in Spring Boot (and which would in big part duplicate what Spring Session's own configuration already offers on its own), and that there's no support for |
|
Can we add a Right now, it's supportable for Spring Session. Support can be added for base servlet, WebFlux, etc as those packages gain SameSite support. |
|
|
|
Sorry, I meant |
|
That comes back to @vpavic's earlier point which I agree with:
I wouldn't want a general |
|
Even if the intent is to work with the servlet spec when it's updated, meaning this would be a temporary situation? |
|
Yes as things would be confusing in the interim. Furthermore, there’s no guarantee that it would be temporary as the Servlet spec is out of our control. |
I'm inclined to agree. I'm going to close this one for now and wait to see how any Servlet API spec changes work out. |
philwebb
added
status: declined
|
Given this was declined, it seems that |
|
As well as SAML, it appears the defaults also make it impossible to use For others looking for property-based configuration, simply add this bean. @Bean
@ConfigurationProperties("spring.session.cookie")
public DefaultCookieSerializer cookieSerializer() {
return new DefaultCookieSerializer();
} |
|
Seems this is getting more urgent: |
|
This is properly supported in Spring Framework as of 5.1.10, see spring-projects/spring-framework#23693 and spring-projects/spring-framework#20964 - we'll consider how this should be supported in MVC and WebFlux. |
|
i'm current using the default embedded tomcat servlet , spring boot 2.1.8 with NO spring boot session. it seems tomcat can be configured to have a Rfc6265CookieProcessor with sameSite=Strict @Configuration
public class TomcatConfiguration {
@Bean
WebServerFactoryCustomizer<TomcatServletWebServerFactory> cookieProcessorCustomizer() {
return new WebServerFactoryCustomizer<TomcatServletWebServerFactory>() {
@Override
public void customize(TomcatServletWebServerFactory tomcatServletWebServerFactory) {
tomcatServletWebServerFactory.addContextCustomizers(new TomcatContextCustomizer() {
@Override
public void customize(Context context) {
Rfc6265CookieProcessor processor=new Rfc6265CookieProcessor();
processor.setSameSiteCookies("strict");
context.setCookieProcessor(processor);
}
});
}
};
}
}one remark is that ALL cookies set by this tomcat instance will have sameSite=strict, if that's not what you want, you can extend the cookie processor class and add some custom logic for this. |
|
@lucwillems Thanks for the code snippet, I tried this but |
As you may know, this bug was already fixed at the time of your post, and is now released. |
|
I feel a headache coming on... |
|
Yes, in particular Apple refuses to make a patch for iOS 12, so setting sameSite to None in all cases won't cut it. |
|
FYI, Chrome 80 has now rolled out |
|
Although the SameSite feature is being released more slowly: https://www.chromium.org/updates/same-site |
|
An easy way around this problem is to use org.springframework.http.ResponseCookie class. The class has a nice builder with samesite property. |
That's what WebFlux does for Servlet containers and for Netty. For Undertow only it relies on the built-in support. It is more challenging to do this for Spring MVC where we are not in control of the abstraction. Probably the best route is (for applications) to rely on whatever the underlying server provides since all applications on that server are facing the same issue. |
|
I did a little investigation and it appears that at all of the out-of-the-box supported containers (Tomcat, Jetty, Netty and Undertow) each have a custom way of enabling and setting the SameSite attribute. Couldn't this be part of the configuration of the embedded containers, that when set to LAX, STRICT it will be enabled with that value? Or at least with the Servlet containers (as it appears to be workable from a reactive point already). |
bclozel
changed the title
|
Since the initial scope of this issue was about Spring Session, and since we can't obviously solve all the different aspects of this support, I've created different issues for Spring WebFlux #20970 and Servlet-based apps #20971. I'll try and add the relevant information in each issue. In the meantime, I'm closing this issue in favor of #20961 which is addressing the issue without conflating Spring Session support with future Servlet spec support. |
bclozel
added
status: superseded
|
@mdeinum I've tried to summarize my findings in #20971. As @rstoyanchev pointed out, I'm not sure we're in a position to provide a consistent support with all Servlet containers. Don't hesitate to comment on that issue. |
Currently, there's no way from
application.propertiesto configure the Spring Session session cookie'sSameSiteattribute. It would be nice to be able to do that.For consistency with the existing
server.servlet.session.cookieproperties, I suggest:server.servlet.session.cookie.sameSitewith a default value of "Lax" (to match Spring Session 2.1's behavior defined in DefaultCookieSerializer). A value of empty string would map tonull(which results inDefaultCookieSerializernot setting theSameSiteattribute on the cookie).SessionAutoConfiguration would implement this behavior.
This setting would have no effect when Spring Session is not in use as no servlet containers currently expose a means by which to set the
SameSiteattribute on their session cookies (support for that can be added as containers gain that ability).Note that this is likely to be increasingly used as the default session cookie in Spring Session 2.1 has the attribute
SameSite=Lax(see spring-projects/spring-session#1005) which breaks SAML login, so anyone using SAML (such as via Spring Security SAML) is going to have to need to change this configuration:https://groups.google.com/a/chromium.org/d/msg/security-dev/AxY6BpkkH9U/vgKbDm7rFgAJ
As a further enhancement, perhaps if Spring Security SAML is detected,
server.servlet.sessioncan be set to null by default instead of "Lax".The text was updated successfully, but these errors were encountered: