From 82194f4ee0adeffeb3ae0078357d7da6d1cbc85c Mon Sep 17 00:00:00 2001
From: Vedran Pavic <vedran.pavic@gmail.com>
Date: Fri, 20 Jul 2018 23:19:21 +0200
Subject: [PATCH] Set SameSite default to Lax

Issue: SPR-16418
---
 .../web/server/session/CookieWebSessionIdResolver.java      | 2 +-
 .../web/server/session/CookieWebSessionIdResolverTests.java | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java b/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java
index a4f3ed78f3..68e07bdbea 100644
--- a/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java
+++ b/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java
@@ -125,7 +125,7 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver {
 				.maxAge(maxAge)
 				.httpOnly(true)
 				.secure("https".equalsIgnoreCase(exchange.getRequest().getURI().getScheme()))
-				.sameSite("Strict");
+				.sameSite("Lax");
 
 		if (this.cookieInitializer != null) {
 			this.cookieInitializer.accept(cookieBuilder);
diff --git a/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java b/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java
index ab21cc2a04..3339cc25a0 100644
--- a/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java
+++ b/spring-web/src/test/java/org/springframework/web/server/session/CookieWebSessionIdResolverTests.java
@@ -44,13 +44,13 @@ public class CookieWebSessionIdResolverTests {
 		assertEquals(1, cookies.size());
 		ResponseCookie cookie = cookies.getFirst(this.resolver.getCookieName());
 		assertNotNull(cookie);
-		assertEquals("SESSION=123; Path=/; Secure; HttpOnly; SameSite=Strict", cookie.toString());
+		assertEquals("SESSION=123; Path=/; Secure; HttpOnly; SameSite=Lax", cookie.toString());
 	}
 
 	@Test
 	public void cookieInitializer() {
 		this.resolver.addCookieInitializer(builder -> builder.domain("example.org"));
-		this.resolver.addCookieInitializer(builder -> builder.sameSite("Lax"));
+		this.resolver.addCookieInitializer(builder -> builder.sameSite("Strict"));
 		this.resolver.addCookieInitializer(builder -> builder.secure(false));
 
 		MockServerHttpRequest request = MockServerHttpRequest.get("https://example.org/path").build();
@@ -61,7 +61,7 @@ public class CookieWebSessionIdResolverTests {
 		assertEquals(1, cookies.size());
 		ResponseCookie cookie = cookies.getFirst(this.resolver.getCookieName());
 		assertNotNull(cookie);
-		assertEquals("SESSION=123; Path=/; Domain=example.org; HttpOnly; SameSite=Lax", cookie.toString());
+		assertEquals("SESSION=123; Path=/; Domain=example.org; HttpOnly; SameSite=Strict", cookie.toString());
 	}
 
 }