问题
What is the spring-boot configuration to set jsessionId cookie as SameSite=Strict.
JsessionId need to add SameSite=Strict or existing cookie not new cookie generation.Is it support?
回答1:
I used Rfc6265CookieProcessor to configure SameSite flag in the spring boot application as a workaround.
build.gradle:
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-tomcat'
...
}
Config in the main class:
@Bean
public ServletWebServerFactory servletContainer() {
return new TomcatServletWebServerFactory() {
@Override
protected void postProcessContext(Context context) {
Rfc6265CookieProcessor rfc6265CookieProcessor = new Rfc6265CookieProcessor();
rfc6265CookieProcessor.setSameSiteCookies("Strict");
context.setCookieProcessor(rfc6265CookieProcessor);
}
};
}
回答2:
This is not yet supported, according to this open issue in Spring Security.
回答3:
With Undertow 2.1.0.Final and later you can do it like this:
public static final String COOKIE_PATTERN = "JSESSIONID";
@Bean
public UndertowServletWebServerFactory undertowServletWebServerFactory() {
UndertowServletWebServerFactory undertow = new UndertowServletWebServerFactory();
undertow.addDeploymentInfoCustomizers(
deploymentInfo -> deploymentInfo.addInitialHandlerChainWrapper(
handler -> new SameSiteCookieHandler(handler, CookieSameSiteMode.STRICT.name(), COOKIE_PATTERN)
));
return undertow;
}
来源:https://stackoverflow.com/questions/53044148/setting-jsessonid-cookie-to-samesite-strict-attribute-in-spring-boot