Skip to content

CookieRequestCache should set SameSite on the REDIRECT_URI cookie #15204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2is10 opened this issue Jun 5, 2024 · 2 comments
Closed

CookieRequestCache should set SameSite on the REDIRECT_URI cookie #15204

2is10 opened this issue Jun 5, 2024 · 2 comments
Assignees
@marcusdacoregio
Labels
status: duplicate A duplicate of another issue type: bug A general bug

Comments

@2is10
Copy link

2is10 commented Jun 5, 2024

Describe the bug
When using CookieRequestCache, Firefox complains:

Cookie “REDIRECT_URI” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

image

To Reproduce
Configure your application to use CookieRequestCache, like so:

http.requestCache(config -> config.requestCache(new CookieRequestCache()));

Note that due to #2932 you likely also need to separately pass the CookieRequestCache to SavedRequestAwareAuthenticationSuccessHandler.

Expected behavior
No warning in Firefox. The POST /login request should also not show up as “blocked”.

image

Sample

No sample provided. This is easy to try on any project.
@2is10 2is10 added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jun 5, 2024
@marcusdacoregio marcusdacoregio self-assigned this Jun 10, 2024
@marcusdacoregio marcusdacoregio removed the status: waiting-for-triage An issue we've not yet triaged label Jun 10, 2024
@marcusdacoregio
Copy link
Contributor

Hi @2is10, thanks for the report.

I believe that we could add some kind of customizer to the cookie in the CookieRequestCache implementation, similar to #15203, what do you think?

I don't think that we should set a default value to that attribute tho, since the docs mention that the attribute is optional and, if not provided, a default value (defined by the browser) will be used.

fb64 added a commit to fb64/spring-security that referenced this issue Aug 23, 2024
@fb64
Add cookie customizer to CookieRequestCache
307e68a 
Issue spring-projectsgh-15204
@jzheaux jzheaux mentioned this issue Aug 26, 2024
Merged
fb64 added a commit to fb64/spring-security that referenced this issue Aug 29, 2024
@fb64
Add cookie customizer to CookieRequestCache
8e21a54 
Issue spring-projectsgh-15204
fb64 added a commit to fb64/spring-security that referenced this issue Aug 31, 2024
@fb64
Add cookie customizer to CookieRequestCache and CookieServerRequestCache
8d19be9 
Issue spring-projectsgh-15204
fb64 added a commit to fb64/spring-security that referenced this issue Aug 31, 2024
@fb64
Add cookie customizer to CookieRequestCache and CookieServerRequestCache
33e802c 
Issue spring-projectsgh-15204
marcusdacoregio pushed a commit that referenced this issue Sep 3, 2024
@fb64 @marcusdacoregio
Add cookie customizer to CookieRequestCache and CookieServerRequestCache
008cbc2 
Issue gh-15204
@marcusdacoregio marcusdacoregio added the status: duplicate A duplicate of another issue label Sep 3, 2024
@marcusdacoregio
Copy link
Contributor

Closed via #15685

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@2is10 @marcusdacoregio