Support SameSite Cookie

[rwinch]

We should add support for using SameSite Cookie for session cookie to mitigate CSRF attacks. See https://scotthelme.co.uk/csrf-is-dead/

[richard1122]

Hi, are there any plans to support SameSite cookie in spring-session 1.x.x ?

[rwinch]

@richard1122 If someone sent a PR that was passive with tests we would consider it.

[jmpavlec]

Was this included in a migration guide anywhere or mentioned in the docs? I was not able to find any references about it. Making SameSite=lax for the SESSION cookie as the new default for Spring Session has some implications depending on the browser used. It potentially breaks some cross-domain SSO/SLO functionality that was dependent on the SESSION cookie. Safari also has a bug related to overriding it to be SameSite=none https://bugs.webkit.org/show_bug.cgi?id=198181

More clearly outlined in https://web.dev/samesite-cookies-explained/

Edit: Found it mentioned in release notes: https://spring.io/blog/2018/10/31/spring-session-bean-ga-released

[vpavic]

You're right @jmpavlec, we should provide some info about SameSite support in our reference manual. I've opened #1517 to take care of that.

If you're facing any issues due to presence of SameSite directive in our session cookie, you could disable it by providing a null value to DefaultCookieSerializer#setSameSite. Note that this requires overriding the default cookie serializer by providing your own DefaultCookieSerializer @Bean.