Spring Security CookieCsrfTokenRepository Optionally allows to set the SameSite attribute.

Expected Behavior

CookieCsrfTokenRepository can be configured with a setSameSite method taking an enum as arg to allow to set the SameSite attribute for the XSRF cookie.

Current Behavior

CookieCsrfTokenRepository Provides no way to specify using SameSite.

Context

This is inspired from: https://github.com/spring-projects/spring-security/issues/7537#issuecomment-1208552260 Which collected several thumbs up by now :)

For us this is triggerd by security requesting we add SameSite on our CSRF token, which right now we can only do by copy-pasting the CookieCsrfTokenRepository class and modifying it to use a ResponseCookie and adding the SameSite with that.

See also: https://stackoverflow.com/questions/60039647/is-it-possible-to-add-same-site-attribute-to-spring-security-csrfs-csrftokenre

Comment From: marcusdacoregio

Hi @void-spark.

Since Spring Boot 2.6, you can achieve this by providing a CookieSameSiteSupplier bean:

@Configuration(proxyBeanMethods = false)
public class MySameSiteConfiguration {

    @Bean
    public CookieSameSiteSupplier applicationCookieSameSiteSupplier() {
        return CookieSameSiteSupplier.ofLax().whenHasNameMatching("myapp.*");
    }

}

Is this what you are looking for?

Comment From: void-spark

Hmm, that uses some kind of cookie post-processing functionality at server level? I guess it only works with Spring Boot in standalone/fat jar/embedded webserver mode? I'm guessing that might work, is there any Spring documentation on the feature? :)

Comment From: marcusdacoregio

I guess it only works with Spring Boot in standalone/fat jar/embedded webserver mode?

As far as I know, yes.

Here is the documentation about that feature: https://docs.spring.io/spring-boot/docs/current/reference/html/web.html#web.servlet.embedded-container.customizing.samesite

I'll close this for now but feel free to continue the discussion if you think there is value in adding this feature.

Comment From: martashorak

I guess it only works with Spring Boot in standalone/fat jar/embedded webserver mode?

As far as I know, yes.

Here is the documentation about that feature: https://docs.spring.io/spring-boot/docs/current/reference/html/web.html#web.servlet.embedded-container.customizing.samesite

I'll close this for now but feel free to continue the discussion if you think there is value in adding this feature.

Hi @marcusdacoregio, Is there any way how to use CookieSameSiteSupplier when deploying on standalone JBOSS, or other non embedded servlet container? From documentation I got feeling that you have to be using embedded server only for session cookie.

Thanks

Comment From: marcusdacoregio

Hello @martashorak, I'm afraid that this question is more suited to StackOverflow, but I'm quite sure that it is possible to configure the cookies or override them if needed.

Comment From: svschouw-bb

I think there still is value. Not everybody uses Spring Boot, and not everybody runs it in embedded mode. It feels like the Spring Boot method is a fairy elaborate hack which is webserver dependent, whereas this would be 1 setting in CookieCsrfTokenRepository.