tokuhirom's blog

spring boot 2.1+(spring framework 5.1+) applies `samesite=Lax` attribute to session cookie by default

After boot 2.1, DefaultCookieSerializer applies samesite=lax attribute by default. As a result, the security risk was decreased.

But in the OAuth2 authentication process, OAuth2 provider can pass the data by POST method. It can't work with samesite=lax attribute(A browser won't send cookie).

You can configure the default behavior by following bean definition.

    public CookieSerializer cookieSerializer() {
        DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
        return cookieSerializer;
Created: 2018-11-09 18:09:56 +0900
Updated: 2018-11-09 18:09:56 +0900