See #15047
Added the ability to configure the DefaultCookieSerializer's SameSite directive with an application property.
Fixes #15047
Comment From: pivotal-issuemaster
@cleankod Please sign the Contributor License Agreement!
Click here to manually synchronize the status of this Pull Request.
See the FAQ for frequently asked questions.
Comment From: pivotal-issuemaster
@cleankod Thank you for signing the Contributor License Agreement!
Comment From: bclozel
Thanks for your contribution @cleankod - did you see @vpavic commenting on the related issue? It seems this change goes against the general opinion. See this comment.
Do you have new elements supporting this in the meantime?
Comment From: cleankod
@bclozel, @vpavic Since Google Chrome introduced the requirement for this attribute to be present, I really need to configure the application to include it in the Cookie. I have like 10 spring-boot-based web applications exposed to the browser.
I made this PR because when the time comes and the Servlet API releases the attribute as well, it would be completely transparent to me and all I'd need to do is upgrade Spring Boot.
Now, without the possibility to set this via property, it leaves me with the necessity to provide a DefaultCookieSerializer as a custom @Bean initialisation. So when the time comes with the Servlet API release, I'd need not only to upgrade Spring Boot, but also to remove all of the custom @Beans, checking of course that no one added anything to them after they were introduced.
I completely understand your reason, but in such cases I would consider leaning towards Spring Boot users since the update of Servlet API is surely coming because this directive became an official one and can be found in the specification. Waiting for Servlet API requires us to walk our way around this problem.
I'd therefore like to ask you to reconsider. If you stand by your decision anyway, then please consider merging my PR after the prerequisite Servlet API is released, so my work doesn't go to waste.
Comment From: vpavic
I don't think it's reasonable to expect Spring Boot to introduce a property under a Servlet API specific configuration property namespace for a thing that currently isn't by Servlet API and that requires an additional library (Spring Session) to be able to use it.
First and foremost, this is wrong as it's not usable if one's using Servlet container's default session management capabilities. Additionally, to my knowledge at least, the Servlet API support isn't imminent by any means and won't happen before 5.1.
I've proposed an alternative approach in #20961. This would add the capability to customize the SameSite setting of Spring Session's DefaultCookieSerializer by simply registering a bean like:
@Bean
CookieSerializerCustomizer cookieSerializerCustomizer() {
return cookieSerializer -> cookieSerializer.setSameSite("None");
}
Comment From: adamklinkosz
@vpavic Could you please consider changing the target branch of your #20961 to 2.1.x?
Comment From: snicoll
@adamklinkosz we don't need that and we will make up our mind on where to backport this in due course (@vpavic please don't change the base branch).
Comment From: bclozel
I'm closing this PR in favor of #20961, as it is less tied to the Servlet spec - thanks @cleankod for your contribution!