Add SameSite support in WebFlux SESSION cookies

This commit adds support for the "SameSite" attribute in response
cookies. As explained in rfc6265bis, this attribute can be used to limit
the scope of a cookie so that it can't be attached to a request unless
it is sent from the "same-site".

This feature is currently supported by Google Chrome and Firefox, other
browsers will ignore this attribute.

This feature can help prevent CSRF attacks; this is why this commit adds
this attribute by default for SESSION Cookies in WebFlux.

See: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis

Issue: SPR-16418
This commit is contained in:
Brian Clozel
2018-06-14 11:22:43 +02:00
parent 1e5f8cc232
commit 09d9450154
3 changed files with 62 additions and 10 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2018 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -44,6 +44,6 @@ public class CookieWebSessionIdResolverTests {
assertEquals(1, cookies.size());
ResponseCookie cookie = cookies.getFirst(this.resolver.getCookieName());
assertNotNull(cookie);
assertEquals("SESSION=123; Path=/; Secure; HttpOnly", cookie.toString());
assertEquals("SESSION=123; Path=/; Secure; HttpOnly; SameSite=Strict", cookie.toString());
}
}