[jira] [Updated] (SHIRO-789) Also add cookie SameSite option to rememberMe cookies

[Benjamin Marwell (Jira)]

     [ 
https://issues.apache.org/jira/browse/SHIRO-789?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Benjamin Marwell updated SHIRO-789:
-----------------------------------
    Description: 
https://issues.apache.org/jira/browse/SHIRO-722 added sameSite-Options to the 
sessionId cookies.

The rememberMe cookie does not have such an option and currently defaults to 
"LAX".

---

This issue is only present in non-spring applications. For spring, the Default 
(and abstract) web configuration has cookie templates, see 
[https://github.com/apache/shiro/blob/master/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java#L104-L120]

This is not the case for servlet/jaxrs applications.

The {color:#0747a6}{{SecurityManager}}{color} creates a 
{color:#0747a6}{{CookieRememberMeManager}}{color} and a 
{color:#0747a6}{{ServletContainerSessionManager}}{color}, which is usually 
being overwritten by Using a 
{color:#0747a6}{{DefaultWebSessionManager}}{color}. It has a 
{color:#0747a6}{{sessionIdCookie}}{color} property, which will usually receive 
some default configuration (as a cookie template).

  was:
https://issues.apache.org/jira/browse/SHIRO-722 added sameSite-Options to the 
sessionId cookies.

The rememberMe cookie does not have such an option and currently defaults to 
"LAX".


> Also add cookie SameSite option to rememberMe cookies
> -----------------------------------------------------
>
>                 Key: SHIRO-789
>                 URL: https://issues.apache.org/jira/browse/SHIRO-789
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Web
>    Affects Versions: 1.5.3
>            Reporter: Benjamin Marwell
>            Priority: Major
>
> https://issues.apache.org/jira/browse/SHIRO-722 added sameSite-Options to the 
> sessionId cookies.
> The rememberMe cookie does not have such an option and currently defaults to 
> "LAX".
> ---
> This issue is only present in non-spring applications. For spring, the 
> Default (and abstract) web configuration has cookie templates, see 
> [https://github.com/apache/shiro/blob/master/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java#L104-L120]
> This is not the case for servlet/jaxrs applications.
> The {color:#0747a6}{{SecurityManager}}{color} creates a 
> {color:#0747a6}{{CookieRememberMeManager}}{color} and a 
> {color:#0747a6}{{ServletContainerSessionManager}}{color}, which is usually 
> being overwritten by Using a 
> {color:#0747a6}{{DefaultWebSessionManager}}{color}. It has a 
> {color:#0747a6}{{sessionIdCookie}}{color} property, which will usually 
> receive some default configuration (as a cookie template).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)