如何在Spring Boot中设置相同站点的cookie标志? [英] How to set same-site cookie flag in Spring Boot?
问题描述
是否可以设置相同站点的Cookie 是否在Spring Boot中标记?
Is it possible to set Same-Site Cookie flag in Spring Boot?
我在Chrome中遇到的问题
My problem in Chrome:
与跨站点资源关联的cookie,位于 http://google.com/ 设置时没有
SameSite属性. Chrome的未来版本 如果设置了跨站点请求,则仅会发送带有跨站点请求的cookie 使用SameSite=None和Secure.您可以在开发人员中查看Cookie 工具在应用程序">存储">"Cookies"下,并在以下位置查看更多详细信息 https://www.chromestatus.com/feature/5088147346030592 和 https://www.chromestatus.com/feature/5633521622188032 .
A cookie associated with a cross-site resource at http://google.com/ was set without the
SameSiteattribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=NoneandSecure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
如何解决这个问题?
How to solve this problem?
推荐答案
This is an open issue with Spring Security (https://github.com/spring-projects/spring-security/issues/7537)
正如我在Spring-Boot(2.1.7.RELEASE)中检查的那样,默认情况下它使用DefaultCookieSerializer,该属性带有默认为Lax的属性sameSite.
As I inspected in Spring-Boot (2.1.7.RELEASE), By Default it uses DefaultCookieSerializer which carry a property sameSite defaulting to Lax.
您可以在应用程序启动时通过以下代码对其进行修改.
You can modify this upon application boot, through the following code.
注意:这是一个骇客,直到下个春季发布真正的修复(配置).
Note: This is a hack until a real fix (configuration) is exposed upon next spring release.
@Component
@AllArgsConstructor
public class SameSiteInjector {
private final ApplicationContext applicationContext;
@EventListener
public void onApplicationEvent(ContextRefreshedEvent event) {
DefaultCookieSerializer cookieSerializer = applicationContext.getBean(DefaultCookieSerializer.class);
log.info("Received DefaultCookieSerializer, Overriding SameSite Strict");
cookieSerializer.setSameSite("strict");
}
}
这篇关于如何在Spring Boot中设置相同站点的cookie标志?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
