tokuhirom's blog

spring boot 2.1+(spring framework 5.1+) applies `samesite=Lax` attribute to session cookie by default

https://github.com/spring-projects/spring-session/pull/1132/commits/f9e6bc7a3e2abd6ce25b13da98fae4d1655462bd

After boot 2.1, DefaultCookieSerializer applies samesite=lax attribute by default. As a result, the security risk was decreased.

But in the OAuth2 authentication process, OAuth2 provider can pass the data by POST method. It can't work with samesite=lax attribute(A browser won't send cookie).

You can configure the default behavior by following bean definition.

    @Bean
    public CookieSerializer cookieSerializer() {
        DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
        cookieSerializer.setSameSite(null);
        return cookieSerializer;
    }
Created: 2018-11-09 18:09:56 +0900
Updated: 2018-11-09 18:09:56 +0900