Skip to content

CookieCsrfTokenRepository Optionally allows to set the SameSite attribute. #11913

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
void-spark opened this issue Sep 28, 2022 · 6 comments
Closed

CookieCsrfTokenRepository Optionally allows to set the SameSite attribute. #11913

void-spark opened this issue Sep 28, 2022 · 6 comments
Assignees
@marcusdacoregio
Labels
status: declined A suggestion or change that we don't feel we should currently apply

Comments

@void-spark
Copy link

Expected Behavior

CookieCsrfTokenRepository can be configured with a setSameSite method taking an enum as arg to allow to set the SameSite attribute for the XSRF cookie.

Current Behavior

CookieCsrfTokenRepository Provides no way to specify using SameSite.

Context

This is inspired from: #7537 (comment)
Which collected several thumbs up by now :)

For us this is triggerd by security requesting we add SameSite on our CSRF token, which right now we can only do by copy-pasting the CookieCsrfTokenRepository class and modifying it to use a ResponseCookie and adding the SameSite with that.

See also: https://stackoverflow.com/questions/60039647/is-it-possible-to-add-same-site-attribute-to-spring-security-csrfs-csrftokenre
@void-spark void-spark added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Sep 28, 2022
@marcusdacoregio
Copy link
Contributor

Hi @void-spark.

Since Spring Boot 2.6, you can achieve this by providing a CookieSameSiteSupplier bean:

@Configuration(proxyBeanMethods = false)
public class MySameSiteConfiguration {

    @Bean
    public CookieSameSiteSupplier applicationCookieSameSiteSupplier() {
        return CookieSameSiteSupplier.ofLax().whenHasNameMatching("myapp.*");
    }

}

Is this what you are looking for?

@marcusdacoregio marcusdacoregio added the status: waiting-for-feedback We need additional information before we can continue label Sep 28, 2022
@void-spark
Copy link
Author

Hmm, that uses some kind of cookie post-processing functionality at server level?
I guess it only works with Spring Boot in standalone/fat jar/embedded webserver mode?
I'm guessing that might work, is there any Spring documentation on the feature? :)

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Sep 29, 2022
@marcusdacoregio
Copy link
Contributor

I guess it only works with Spring Boot in standalone/fat jar/embedded webserver mode?

As far as I know, yes.

Here is the documentation about that feature: https://docs.spring.io/spring-boot/docs/current/reference/html/web.html#web.servlet.embedded-container.customizing.samesite

I'll close this for now but feel free to continue the discussion if you think there is value in adding this feature.

@marcusdacoregio marcusdacoregio added status: declined A suggestion or change that we don't feel we should currently apply and removed status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement status: feedback-provided Feedback has been provided labels Sep 29, 2022
@marcusdacoregio marcusdacoregio self-assigned this Sep 29, 2022
@martashorak
Copy link

I guess it only works with Spring Boot in standalone/fat jar/embedded webserver mode?

As far as I know, yes.

Here is the documentation about that feature: https://docs.spring.io/spring-boot/docs/current/reference/html/web.html#web.servlet.embedded-container.customizing.samesite

I'll close this for now but feel free to continue the discussion if you think there is value in adding this feature.

Hi @marcusdacoregio,
Is there any way how to use CookieSameSiteSupplier when deploying on standalone JBOSS, or other non embedded servlet container? From documentation I got feeling that you have to be using embedded server only for session cookie.

Thanks

@marcusdacoregio
Copy link
Contributor

Hello @martashorak, I'm afraid that this question is more suited to StackOverflow, but I'm quite sure that it is possible to configure the cookies or override them if needed.

@svschouw-bb svschouw-bb mentioned this issue Oct 13, 2022
Closed
@svschouw-bb
Copy link
Contributor

I think there still is value. Not everybody uses Spring Boot, and not everybody runs it in embedded mode. It feels like the Spring Boot method is a fairy elaborate hack which is webserver dependent, whereas this would be 1 setting in CookieCsrfTokenRepository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
status: declined A suggestion or change that we don't feel we should currently apply
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@svschouw-bb @marcusdacoregio @spring-projects-issues @martashorak @void-spark