SpringBoot server.servlet.session.cookie.same-site isn't applied to Spring Session's SESSION cookie

As reported by @OrangeDog on Gitter, there's an unfortunate mismatch between Servlet's default cookie name (JSESSIONID) and Spring Session's default cookie name (SESSION). This mismatch means that the server.servlet.session.cookie.same-site property has no effect when using Spring Session. I think that setting server.servlet.session.cookie.name=SESSION will gets things working. We should confirm that this is the case and also see if there's something that we can do so that this works out of the box.

Comment From: OrangeDog

Setting server.servlet.session.cookie.name=SESSION does not appear to have any effect.

Comment From: wilkinsona

Thanks for trying that out, @OrangeDog. It doesn't work as I misdiagnosed the cause here. It's actually simpler than I thought and we just need to map the property onto Spring Session's DefaultCookieSerializer. You can do that yourself as a workaround in the meantime by defining the following bean in your application:

@Bean
DefaultCookieSerializer cookieSerializer(ServerProperties serverProperties,
        ObjectProvider<DefaultCookieSerializerCustomizer> cookieSerializerCustomizers) {
    Cookie cookie = serverProperties.getServlet().getSession().getCookie();
    DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
    PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
    map.from(cookie::getName).to(cookieSerializer::setCookieName);
    map.from(cookie::getDomain).to(cookieSerializer::setDomainName);
    map.from(cookie::getPath).to(cookieSerializer::setCookiePath);
    map.from(cookie::getHttpOnly).to(cookieSerializer::setUseHttpOnlyCookie);
    map.from(cookie::getSecure).to(cookieSerializer::setUseSecureCookie);
    map.from(cookie::getMaxAge).asInt(Duration::getSeconds).to(cookieSerializer::setCookieMaxAge);
    map.from(cookie::getSameSite).as(SameSite::attributeValue).to(cookieSerializer::setSameSite);
    cookieSerializerCustomizers.orderedStream().forEach((customizer) -> customizer.customize(cookieSerializer));
    return cookieSerializer;
}

Comment From: OrangeDog

That’s what I already do, but with @ConfigurationProperties.

Comment From: vpavic

@wilkinsona I just saw this issue and wanted to leave the same comment as you did in the meantime. Anyway, if no one is working on this, I prepared the branch with changes to address this so I can proceed to submit the PR fairly soon. But this could also be a nice issue for first-timers so I'll let you decide.

Comment From: vpavic

As there was no feedback on the previous comment, I've opened #28784 to address this.

Comment From: philwebb

Closing in favor of PR #28784. Thanks @vpavic!