From 82194f4ee0adeffeb3ae0078357d7da6d1cbc85c Mon Sep 17 00:00:00 2001 From: Vedran Pavic Date: Fri, 20 Jul 2018 23:19:21 +0200 Subject: [PATCH] Set SameSite default to Lax Issue: SPR-16418 --- .../web/server/session/CookieWebSessionIdResolver.java | 2 +- .../web/server/session/CookieWebSessionIdResolverTests.java | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java b/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java index a4f3ed78f3..68e07bdbea 100644 --- a/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java +++ b/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java @@ -125,7 +125,7 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver { .maxAge(maxAge) .httpOnly(true) .secure("https".equalsIgnoreCase(exchange.getRequest().getURI().getScheme())) - .sameSite("Strict"); + .sameSite("Lax"); if (this.cookieInitializer != null) { this.cookieInitializer.accept(cookieBuilder); diff --git a/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java b/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java index ab21cc2a04..3339cc25a0 100644 --- a/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java +++ b/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java @@ -44,13 +44,13 @@ public class CookieWebSessionIdResolverTests { assertEquals(1, cookies.size()); ResponseCookie cookie = cookies.getFirst(this.resolver.getCookieName()); assertNotNull(cookie); - assertEquals("SESSION=123; Path=/; Secure; HttpOnly; SameSite=Strict", cookie.toString()); + assertEquals("SESSION=123; Path=/; Secure; HttpOnly; SameSite=Lax", cookie.toString()); } @Test public void cookieInitializer() { this.resolver.addCookieInitializer(builder -> builder.domain("example.org")); - this.resolver.addCookieInitializer(builder -> builder.sameSite("Lax")); + this.resolver.addCookieInitializer(builder -> builder.sameSite("Strict")); this.resolver.addCookieInitializer(builder -> builder.secure(false)); MockServerHttpRequest request = MockServerHttpRequest.get("https://example.org/path").build(); @@ -61,7 +61,7 @@ public class CookieWebSessionIdResolverTests { assertEquals(1, cookies.size()); ResponseCookie cookie = cookies.getFirst(this.resolver.getCookieName()); assertNotNull(cookie); - assertEquals("SESSION=123; Path=/; Domain=example.org; HttpOnly; SameSite=Lax", cookie.toString()); + assertEquals("SESSION=123; Path=/; Domain=example.org; HttpOnly; SameSite=Strict", cookie.toString()); } }