Spring Security中会话cookie的相同站点标志 [英] Same-Site flag for session cookie in Spring Security
问题描述
是否可以设置同一站点的Cookie 在Spring Security中标记?
Is it possible to set Same-site Cookie flag in Spring Security?
如果没有,请问路线图上是否增加了支持?某些浏览器(例如Chrome)已经支持。
And if not, is it on a roadmap to add support, please? There is already support in some browsers (i.e. Chrome).
推荐答案
新的Tomcat版本通过 TomcatContextCustomizer
支持SameSite cookie 。因此,您应该仅自定义tomcat CookieProcessor,例如对于Spring Boot:
New Tomcat version support SameSite cookies via TomcatContextCustomizer
. So you should only customize tomcat CookieProcessor, e.g. for Spring Boot:
@Configuration
public class MvcConfiguration implements WebMvcConfigurer {
@Bean
public TomcatContextCustomizer sameSiteCookiesConfig() {
return context -> {
final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();
cookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue());
context.setCookieProcessor(cookieProcessor);
};
}
}
对于 SameSiteCookies.NONE
请注意,cookie也是安全
(使用SSL),否则无法应用。
For SameSiteCookies.NONE
be aware, that cookies are also Secure
(SSL used), otherwise they couldn't be applied.
默认为Chrome 80 cookie被视为 SameSite = Lax
!
By default since Chrome 80 cookies considered as SameSite=Lax
!
请参阅 Spring Boot中的SameSite Cookie 和 SameSite Cookie食谱。
对于nginx代理,可以在nginx配置中轻松解决:
For nginx proxy it could be solved easily in nginx config:
if ($scheme = http) {
return 301 https://$http_host$request_uri;
}
proxy_cookie_path / "/; secure; SameSite=None";
这篇关于Spring Security中会话cookie的相同站点标志的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!