Align settings for sameSite and secure flag

After this change sameSite still gets a default value of "Strict" in CookieWebSessionIdResolver but for changes to either sameSite or secure it is now expected to use addCookieInitializer(Consumer<ResponseCookie.ResponseCookieBuilder>). Issue: SPR-16418, SPR-16980
6 years ago · 43d6ceb6f0
2 changed files with 4 additions and 27 deletions
--- a/spring-web/src/main/java/org/springframework/http/ResponseCookie.java
+++ b/spring-web/src/main/java/org/springframework/http/ResponseCookie.java
@ -296,7 +296,6 @@ public final class ResponseCookie extends HttpCookie {
				@@ -296,7 +296,6 @@ public final class ResponseCookie extends HttpCookie {
 		 * <p>This limits the scope of the cookie such that it will only be
 		 * attached to same site requests if {@code "Strict"} or cross-site
 		 * requests if {@code "Lax"}.
-		 * <p>By default set to {@code "Strict"}.
 		 * @since 5.1
 		 * @see <a href="https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis#section-4.1.2.7">RFC6265 bis</a>
 		 */
--- a/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java
+++ b/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java
@ -42,8 +42,6 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver {
				@@ -42,8 +42,6 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver {

 	private Duration cookieMaxAge = Duration.ofSeconds(-1);

-	private String sameSite = "Strict";
-
 	@Nullable
 	private Consumer<ResponseCookie.ResponseCookieBuilder> cookieInitializer = null;

@ -82,26 +80,6 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver {
				@@ -82,26 +80,6 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver {
 		return this.cookieMaxAge;
 	}

-	/**
-	 * Set the value for the "SameSite" attribute of the cookie that holds the
-	 * session id. For its meaning and possible values, see
-	 * {@link ResponseCookie#getSameSite()}.
-	 * <p>By default set to {@code "Strict"}.
-	 * @param sameSite the SameSite value
-	 * @since 5.1
-	 */
-	public void setSameSite(String sameSite) {
-		this.sameSite = sameSite;
-	}
-
-	/**
-	 * Return the configured "SameSite" attribute value for the session cookie.
-	 * @since 5.1
-	 */
-	public String getSameSite() {
-		return this.sameSite;
-	}
-
 	/**
 	 * Add {@link Consumer} for a {@link ResponseCookie.ResponseCookieBuilder
 	 * ResponseCookieBuilder} that will be invoked for each cookie being built,
@ -129,25 +107,25 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver {
				@@ -129,25 +107,25 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver {
 	@Override
 	public void setSessionId(ServerWebExchange exchange, String id) {
 		Assert.notNull(id, "'id' is required");
-		ResponseCookie cookie = initSessionCookie(exchange, id, getCookieMaxAge(), getSameSite());
+		ResponseCookie cookie = initSessionCookie(exchange, id, getCookieMaxAge());
 		exchange.getResponse().getCookies().set(this.cookieName, cookie);
 	}

 	@Override
 	public void expireSession(ServerWebExchange exchange) {
-		ResponseCookie cookie = initSessionCookie(exchange, "", Duration.ZERO, null);
+		ResponseCookie cookie = initSessionCookie(exchange, "", Duration.ZERO);
 		exchange.getResponse().getCookies().set(this.cookieName, cookie);
 	}

 	private ResponseCookie initSessionCookie(
-			ServerWebExchange exchange, String id, Duration maxAge, @Nullable String sameSite) {
+			ServerWebExchange exchange, String id, Duration maxAge) {

 		ResponseCookie.ResponseCookieBuilder cookieBuilder = ResponseCookie.from(this.cookieName, id)
 				.path(exchange.getRequest().getPath().contextPath().value() + "/")
 				.maxAge(maxAge)
 				.httpOnly(true)
 				.secure("https".equalsIgnoreCase(exchange.getRequest().getURI().getScheme()))
-				.sameSite(sameSite);
+				.sameSite("Strict");

 		if (this.cookieInitializer != null) {
 			this.cookieInitializer.accept(cookieBuilder);