diff --git a/spring-web/src/main/java/org/springframework/http/ResponseCookie.java b/spring-web/src/main/java/org/springframework/http/ResponseCookie.java index 1bfe0d6d73..c502633210 100644 --- a/spring-web/src/main/java/org/springframework/http/ResponseCookie.java +++ b/spring-web/src/main/java/org/springframework/http/ResponseCookie.java @@ -296,7 +296,6 @@ public final class ResponseCookie extends HttpCookie { *

This limits the scope of the cookie such that it will only be * attached to same site requests if {@code "Strict"} or cross-site * requests if {@code "Lax"}. - *

By default set to {@code "Strict"}. * @since 5.1 * @see RFC6265 bis */ diff --git a/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java b/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java index bd376274ac..a4f3ed78f3 100644 --- a/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java +++ b/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java @@ -42,8 +42,6 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver { private Duration cookieMaxAge = Duration.ofSeconds(-1); - private String sameSite = "Strict"; - @Nullable private Consumer cookieInitializer = null; @@ -82,26 +80,6 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver { return this.cookieMaxAge; } - /** - * Set the value for the "SameSite" attribute of the cookie that holds the - * session id. For its meaning and possible values, see - * {@link ResponseCookie#getSameSite()}. - *

By default set to {@code "Strict"}. - * @param sameSite the SameSite value - * @since 5.1 - */ - public void setSameSite(String sameSite) { - this.sameSite = sameSite; - } - - /** - * Return the configured "SameSite" attribute value for the session cookie. - * @since 5.1 - */ - public String getSameSite() { - return this.sameSite; - } - /** * Add {@link Consumer} for a {@link ResponseCookie.ResponseCookieBuilder * ResponseCookieBuilder} that will be invoked for each cookie being built, @@ -129,25 +107,25 @@ public class CookieWebSessionIdResolver implements WebSessionIdResolver { @Override public void setSessionId(ServerWebExchange exchange, String id) { Assert.notNull(id, "'id' is required"); - ResponseCookie cookie = initSessionCookie(exchange, id, getCookieMaxAge(), getSameSite()); + ResponseCookie cookie = initSessionCookie(exchange, id, getCookieMaxAge()); exchange.getResponse().getCookies().set(this.cookieName, cookie); } @Override public void expireSession(ServerWebExchange exchange) { - ResponseCookie cookie = initSessionCookie(exchange, "", Duration.ZERO, null); + ResponseCookie cookie = initSessionCookie(exchange, "", Duration.ZERO); exchange.getResponse().getCookies().set(this.cookieName, cookie); } private ResponseCookie initSessionCookie( - ServerWebExchange exchange, String id, Duration maxAge, @Nullable String sameSite) { + ServerWebExchange exchange, String id, Duration maxAge) { ResponseCookie.ResponseCookieBuilder cookieBuilder = ResponseCookie.from(this.cookieName, id) .path(exchange.getRequest().getPath().contextPath().value() + "/") .maxAge(maxAge) .httpOnly(true) .secure("https".equalsIgnoreCase(exchange.getRequest().getURI().getScheme())) - .sameSite(sameSite); + .sameSite("Strict"); if (this.cookieInitializer != null) { this.cookieInitializer.accept(cookieBuilder);