Cookies have several attributes in addition to key and value.

  • httpOnlyWhether js is allowed to read cookies
  • secureWhether cookies are submitted only for HTTPS links
  • domainDomain for cookie submission
  • pathPath of cookie submission
  • maxAgeCookie survival time
  • sameSiteConcurrent policy, enumeration value:Strict Lax None

The others are familiar, the last one being Chrome 51, which adds a SameSite property to the browser’s Cookie to prevent CSRF attacks and user tracking.

A detailed explanation of SameSite can be found in the SameSite property of cookies

In Javaweb application, setting cookies are generally use javax.mail. Servlet.. HTTP cookies, but SameSite properties come out soon, the servlet libraries haven’t updated, so there is no set SameSite method.

. Javax.mail. Servlet. HTTP cookies are defined in the attribute

As you can see, there is no definition of SameSite yet

//
// The value of the cookie itself.
//

private String name; // NAME= ... "$Name" style is reserved
private String value; // value of NAME

//
// Attributes encoded in the header's cookie fields.
//

private String comment; / /; Comment=VALUE ... describes cookie's use
/ /; Discard ... implied by maxAge < 0
private String domain; / /; Domain=VALUE ... domain that sees cookie
private int maxAge = -1; / /; Max-Age=VALUE ... cookies auto-expire
private String path; / /; Path=VALUE ... URLs that see the cookie
private boolean secure; / /; Secure ... e.g. use SSL
private int version = 0; / /; Version=1 ... means RFC 2109++ style
private boolean isHttpOnly = false;
Copy the code

Set a Cookie to the client via ResponseCookie

Essentially, a Cookie is just a header. Instead of using Cookie objects, we can set cookies to clients by customizing headers.

ResponseCookie is a Cookie builder class defined by Spring that is extremely simple

import java.time.Duration;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.http.HttpHeaders;
import org.springframework.http.ResponseCookie;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping
public class TestController {
	
	@GetMapping("/test")
	public Object test (HttpServletRequest request, HttpServletResponse response) throws Exception {
		
		ResponseCookie cookie = ResponseCookie.from("myCookie"."myCookieValue") // key & value
				.httpOnly(true)		// Disable js reading
				.secure(false)		// Also transfer under HTTP
				.domain("localhost")/ / domain name
				.path("/")			// path
				.maxAge(Duration.ofHours(1))	// Expire in 1 hour
				.sameSite("Lax")	// Third-party cookies are also not sent in most cases, except for Get requests that navigate to the target url
				.build()
				;
		
		// Set the Cookie Header
		response.setHeader(HttpHeaders.SET_COOKIE, cookie.toString());
		
		return "ok"; }}Copy the code

Cookie that responds to the client

All properties respond correctly √

The SameSite property of the HttpSession Cookie

HttpSession relies on a Cookie named JSESSIONID (the default name).

For JSESSIONID Cookie Settings, you can modify the following configuration. However, Spring does not currently implement SameSite configuration items either.

Configuration class: org. Springframework. Boot. Web. Servlet. Server. A Cookie

server.servlet.session.cookie.comment
server.servlet.session.cookie.domain
server.servlet.session.cookie.http-only
server.servlet.session.cookie.max-age
server.servlet.session.cookie.name
server.servlet.session.cookie.path
server.servlet.session.cookie.secure
Copy the code

Set the SameSite property on the Session Cookie by modifying the container configuration

Tomcat

import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
import org.apache.tomcat.util.http.SameSiteCookies;
import org.springframework.boot.web.embedded.tomcat.TomcatContextCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class TomcatConfiguration {

	@Bean
	public TomcatContextCustomizer sameSiteCookiesConfig(a) {
		return context -> {
			final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();
			// Set the SameSite for cookiescookieProcessor.setSameSiteCookies(SameSiteCookies.LAX.getValue()); context.setCookieProcessor(cookieProcessor); }; }}Copy the code

Spring Session’s SameSite property

Set the SameSite properties using custom CookieSerializer

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.web.http.CookieSerializer;

import com.video.common.spring.session.DynamicCookieMaxAgeCookieSerializer;

@Configuration
public class SpringSessionConfiguration {
	
	@Bean
	public CookieSerializer cookieSerializer(a) {
		DynamicCookieMaxAgeCookieSerializer serializer = new DynamicCookieMaxAgeCookieSerializer();
		serializer.setCookieName("JSESSIONID");
		serializer.setDomainName("localhost");
		serializer.setCookiePath("/");
		serializer.setCookieMaxAge(3600);
		serializer.setSameSite("Lax");  // Set the SameSite property
		serializer.setUseHttpOnlyCookie(true);
		serializer.setUseSecureCookie(false);
		returnserializer; }}Copy the code

Starting: springboot. IO/topic / 260 / t…