Spring Security中会话cookie的相同站点标志 [英] Same-Site flag for session cookie in Spring Security

问题描述

是否可以设置同一站点的Cookie 在Spring Security中标记？

Is it possible to set Same-site Cookie flag in Spring Security?

如果没有，请问路线图上是否增加了支持？某些浏览器（例如Chrome）已经支持。

And if not, is it on a roadmap to add support, please? There is already support in some browsers (i.e. Chrome).

推荐答案

新的Tomcat版本通过 TomcatContextCustomizer 支持SameSite cookie 。因此，您应该仅自定义tomcat CookieProcessor，例如对于Spring Boot：

New Tomcat version support SameSite cookies via TomcatContextCustomizer. So you should only customize tomcat CookieProcessor, e.g. for Spring Boot:

@Configuration
public class MvcConfiguration implements WebMvcConfigurer {
    @Bean
    public TomcatContextCustomizer sameSiteCookiesConfig() {
        return context -> {
            final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();
            cookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue());
            context.setCookieProcessor(cookieProcessor);
        };
    }
}

对于 SameSiteCookies.NONE 请注意，cookie也是安全（使用SSL），否则无法应用。

For SameSiteCookies.NONE be aware, that cookies are also Secure (SSL used), otherwise they couldn't be applied.

默认为Chrome 80 cookie被视为 SameSite = Lax ！

By default since Chrome 80 cookies considered as SameSite=Lax!

请参阅 Spring Boot中的SameSite Cookie 和 SameSite Cookie食谱。

对于nginx代理，可以在nginx配置中轻松解决：

For nginx proxy it could be solved easily in nginx config:

if ($scheme = http) {
    return 301 https://$http_host$request_uri;
}

proxy_cookie_path / "/; secure; SameSite=None";

这篇关于Spring Security中会话cookie的相同站点标志的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！