From 43d6ceb6f0e68fc456dbece65c01ee723c34c9c0 Mon Sep 17 00:00:00 2001 From: Rossen Stoyanchev Date: Mon, 2 Jul 2018 17:35:26 -0400 Subject: [PATCH] Align settings for sameSite and secure flag After this change sameSite still gets a default value of "Strict" in CookieWebSessionIdResolver but for changes to either sameSite or secure it is now expected to use addCookieInitializer(Consumer). Issue: SPR-16418, SPR-16980 --- .../springframework/http/ResponseCookie.java | 1 - .../session/CookieWebSessionIdResolver.java | 30 +++---------------- 2 files changed, 4 insertions(+), 27 deletions(-) diff --git a/spring-web/src/main/java/org/springframework/http/ResponseCookie.java b/spring-web/src/main/java/org/springframework/http/ResponseCookie.java index 1bfe0d6d73..c502633210 100644 --- a/spring-web/src/main/java/org/springframework/http/ResponseCookie.java +++ b/spring-web/src/main/java/org/springframework/http/ResponseCookie.java @@ -296,7 +296,6 @@ public final class ResponseCookie extends HttpCookie { *

This limits the scope of the cookie such that it will only be * attached to same site requests if {@code "Strict"} or cross-site * requests if {@code "Lax"}. - *

By default set to {@code "Strict"}. * @since 5.1 * @see RFC6265 bis */ diff --git a/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java b/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java index bd376274ac..a4f3ed78f3 100644 --- a/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java +++ b/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java @@ -42,8 +42,6 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver { private Duration cookieMaxAge = Duration.ofSeconds(-1); - private String sameSite = "Strict"; - @Nullable private Consumer cookieInitializer = null; @@ -82,26 +80,6 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver { return this.cookieMaxAge; } - /** - * Set the value for the "SameSite" attribute of the cookie that holds the - * session id. For its meaning and possible values, see - * {@link ResponseCookie#getSameSite()}. - *

By default set to {@code "Strict"}. - * @param sameSite the SameSite value - * @since 5.1 - */ - public void setSameSite(String sameSite) { - this.sameSite = sameSite; - } - - /** - * Return the configured "SameSite" attribute value for the session cookie. - * @since 5.1 - */ - public String getSameSite() { - return this.sameSite; - } - /** * Add {@link Consumer} for a {@link ResponseCookie.ResponseCookieBuilder * ResponseCookieBuilder} that will be invoked for each cookie being built, @@ -129,25 +107,25 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver { @Override public void setSessionId(ServerWebExchange exchange, String id) { Assert.notNull(id, "'id' is required"); - ResponseCookie cookie = initSessionCookie(exchange, id, getCookieMaxAge(), getSameSite()); + ResponseCookie cookie = initSessionCookie(exchange, id, getCookieMaxAge()); exchange.getResponse().getCookies().set(this.cookieName, cookie); } @Override public void expireSession(ServerWebExchange exchange) { - ResponseCookie cookie = initSessionCookie(exchange, "", Duration.ZERO, null); + ResponseCookie cookie = initSessionCookie(exchange, "", Duration.ZERO); exchange.getResponse().getCookies().set(this.cookieName, cookie); } private ResponseCookie initSessionCookie( - ServerWebExchange exchange, String id, Duration maxAge, @Nullable String sameSite) { + ServerWebExchange exchange, String id, Duration maxAge) { ResponseCookie.ResponseCookieBuilder cookieBuilder = ResponseCookie.from(this.cookieName, id) .path(exchange.getRequest().getPath().contextPath().value() + "/") .maxAge(maxAge) .httpOnly(true) .secure("https".equalsIgnoreCase(exchange.getRequest().getURI().getScheme())) - .sameSite(sameSite); + .sameSite("Strict"); if (this.cookieInitializer != null) { this.cookieInitializer.accept(cookieBuilder);