Springboot应用中设置Cookie的SameSite属性

link之家

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

javax.servlet.http.Cookie 中定义的的属性

可以看到，还没有 SameSite 的定义

// The value of the cookie itself. private String name; // NAME= ... "$Name" style is reserved private String value; // value of NAME // Attributes encoded in the header's cookie fields. private String comment; // ;Comment=VALUE ... describes cookie's use // ;Discard ... implied by maxAge < 0 private String domain; // ;Domain=VALUE ... domain that sees cookie private int maxAge = -1; // ;Max-Age=VALUE ... cookies auto-expire private String path; // ;Path=VALUE ... URLs that see the cookie private boolean secure; // ;Secure ... e.g. use SSL private int version = 0; // ;Version=1 ... means RFC 2109++ style private boolean isHttpOnly = false;

通过 ResponseCookie 给客户端设置Cookie

本质上， Cookie 也只是一个 header 。我们可以不使用 Cookie 对象，而通过自定义 Header 的方式来给客户端设置 Cookie 。

ResponseCookie 是Spring定义的一个 Cookie 构建工具类，极其简单

import java.time.Duration;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.http.HttpHeaders;
import org.springframework.http.ResponseCookie;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping
public class TestController {
	@GetMapping("/test")
	public Object test (HttpServletRequest request,
					HttpServletResponse response) throws Exception {
		ResponseCookie cookie = ResponseCookie.from("myCookie", "myCookieValue") // key & value
				.httpOnly(true)		// 禁止js读取
				.secure(false)		// 在http下也传输
				.domain("localhost")// 域名
				.path("/")			// path
				.maxAge(Duration.ofHours(1))	// 1个小时候过期
				.sameSite("Lax")	// 大多数情况也是不发送第三方 Cookie，但是导航到目标网址的 Get 请求除外
				.build()
		// 设置Cookie Header
		response.setHeader(HttpHeaders.SET_COOKIE, cookie.toString());
		return "ok";
响应给客户端的Cookie
所有属性都响应正确 √
HttpSession Cookie 的SameSite属性
HttpSession依赖一个名称叫做JSESSIONID（默认名称）的Cookie。
对于JSESSIONID Cookie 的设置，可以修改如下配置。但是，目前spring也没实现SameSite的配置项。
配置类 ： org.springframework.boot.web.servlet.server.Cookie
server.servlet.session.cookie.comment
server.servlet.session.cookie.domain
server.servlet.session.cookie.http-only
server.servlet.session.cookie.max-age
server.servlet.session.cookie.name
server.servlet.session.cookie.path
server.servlet.session.cookie.secure
通过修改容器的配置，对Session Cookie设置SameSite属性
Tomcat
import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
import org.apache.tomcat.util.http.SameSiteCookies;
import org.springframework.boot.web.embedded.tomcat.TomcatContextCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class TomcatConfiguration {
	@Bean
	public TomcatContextCustomizer sameSiteCookiesConfig() {
		return context -> {
			final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();
			// 设置Cookie的SameSite
			cookieProcessor.setSameSiteCookies(SameSiteCookies.LAX.getValue());
			context.setCookieProcessor(cookieProcessor);
Spring Session的SameSite属性
通过自定义 CookieSerializer   设置 SameSite属性
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.web.http.CookieSerializer;
import com.video.common.spring.session.DynamicCookieMaxAgeCookieSerializer;
@Configuration
public class SpringSessionConfiguration {
	@Bean
	public CookieSerializer cookieSerializer() {
		DynamicCookieMaxAgeCookieSerializer serializer = new DynamicCookieMaxAgeCookieSerializer();
		serializer.setCookieName("JSESSIONID");
		serializer.setDomainName("localhost");
		serializer.setCookiePath("/");
		serializer.setCookieMaxAge(3600);
		serializer.setSameSite("Lax");  // 设置SameSite属性
		serializer.setUseHttpOnlyCookie(true);
		serializer.setUseSecureCookie(false);
		return serializer;
首发：https://springboot.io/t/topic/2602