-
Notifications
You must be signed in to change notification settings - Fork 38k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CookieWebSessionIdResolver should leverage SameSite Cookie Attribute [SPR-16418] #20964
Comments
Juergen Hoeller commented This seems to be supported in Chrome already and in the works for Firefox, so I suppose our 5.1 timeline might be a good fit. |
Rossen Stoyanchev commented As part of #20964, I've added a Consumer based method that can customize anything about a cookie. Considering that SameSite is set by default, perhaps we could remove the new SameSite-related methods that were just added? The same can easily be achieved now without them. |
Rob Winch commented I think it is quite a bit less obvious if we remove the SameSite related methods, so I'd personally prefer to keep them there. |
Rossen Stoyanchev commented The only reason it occurred to me is because SameSite is set to "Strict" by default and perhaps I thought setting it explicitly might be a less common, and more advanced option? |
Rob Winch commented I guess I'm missing what exactly would be done. It sounded as though these methods would be removed which means the property would be removed too. If that is removed, it appears that sameSite will be null since it is null in the builder by default. However, you were saying that SameSite is set to "Strict" by default. I think I'm missing something? |
Rossen Stoyanchev commented Good point that the sameSite property of ResponseCookie is not set by default. Is that intentional or is it simply not an issue since CookieWebSessionidResolver sets it anyway? Effectively right now "Strict" is the default, and if that's the preferred default setting, we can make sure it's set that way at the level of ResponseCookie. |
Rob Winch commented I believe it is just not an issue since CookieWebSessionIdResolver sets it anyways. If the value were defaulted in the builder, then I think that would also achieve the goal of this ticket. |
Rossen Stoyanchev commented This is the resulting update, in the end keeping everything the same except the |
Vedran Pavic commented Isn't See this article for some considerations around the topic. The owasp.org also supports |
Rossen Stoyanchev commented There is now a suggested change #1889 along with comments above. |
Rob Winch commented Thanks for pinging me Rossen. I agree with Vedran's suggestion. Thanks for the PR and comments Vedran! |
Rob Winch opened SPR-16418 and commented
It may be a little early for this given the limited Browser support, but we should consider setting the
SameSite
attribute on session cookies as this will prevent CSRF attacks without the need for any special code.See https://tools.ietf.org/html/draft-west-first-party-cookies-07
Issue Links:
0 votes, 5 watchers
The text was updated successfully, but these errors were encountered: