Add SameSite support in WebFlux SESSION cookies
This commit adds support for the "SameSite" attribute in response cookies. As explained in rfc6265bis, this attribute can be used to limit the scope of a cookie so that it can't be attached to a request unless it is sent from the "same-site". This feature is currently supported by Google Chrome and Firefox, other browsers will ignore this attribute. This feature can help prevent CSRF attacks; this is why this commit adds this attribute by default for SESSION Cookies in WebFlux. See: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis Issue: SPR-16418
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -44,6 +44,6 @@ public class CookieWebSessionIdResolverTests {
|
||||
assertEquals(1, cookies.size());
|
||||
ResponseCookie cookie = cookies.getFirst(this.resolver.getCookieName());
|
||||
assertNotNull(cookie);
|
||||
assertEquals("SESSION=123; Path=/; Secure; HttpOnly", cookie.toString());
|
||||
assertEquals("SESSION=123; Path=/; Secure; HttpOnly; SameSite=Strict", cookie.toString());
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user