[
https://issues.apache.org/jira/browse/SHIRO-789?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benjamin Marwell updated SHIRO-789:
-----------------------------------
Description:
https://issues.apache.org/jira/browse/SHIRO-722 added sameSite-Options to the
sessionId cookies.
The rememberMe cookie does not have such an option and currently defaults to
"LAX".
—
This issue is only present in spring applications. For spring, the Default (and
abstract) web configuration has cookie templates, see
[https://github.com/apache/shiro/blob/master/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java#L104-L120]
This is not the case for servlet/jaxrs applications. They have options to
configure those via the shiro.ini:
{code:java}
[main]
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionManager.sessionIdCookieEnabled = true
sessionManager.sessionIdCookie.secure = true
sessionManager.sessionIdCookie.sameSite = STRICT
securityManager.sessionManager = $sessionManager
rememberMeManager = org.apache.shiro.web.mgt.CookieRememberMeManager
rememberMeManager.cookie.secure = true
rememberMeManager.cookie.sameSite = STRICT
securityManager.rememberMeManager = $rememberMeManager {code}
But for shiro, there is no such configuration. See the
AbstractShiroWebConfiguration above.
was:
https://issues.apache.org/jira/browse/SHIRO-722 added sameSite-Options to the
sessionId cookies.
The rememberMe cookie does not have such an option and currently defaults to
"LAX".
---
This issue is only present in non-spring applications. For spring, the Default
(and abstract) web configuration has cookie templates, see
[https://github.com/apache/shiro/blob/master/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java#L104-L120]
This is not the case for servlet/jaxrs applications.
The {color:#0747a6}{{SecurityManager}}{color} creates a
{color:#0747a6}{{CookieRememberMeManager}}{color} and a
{color:#0747a6}{{ServletContainerSessionManager}}{color}, which is usually
being overwritten by Using a
{color:#0747a6}{{DefaultWebSessionManager}}{color}. It has a
{color:#0747a6}{{sessionIdCookie}}{color} property, which will usually receive
some default configuration (as a cookie template).
> Also add cookie SameSite option to Spring
> -----------------------------------------
>
> Key: SHIRO-789
> URL: https://issues.apache.org/jira/browse/SHIRO-789
> Project: Shiro
> Issue Type: New Feature
> Components: Web
> Affects Versions: 1.5.3
> Reporter: Benjamin Marwell
> Priority: Major
>
> https://issues.apache.org/jira/browse/SHIRO-722 added sameSite-Options to the
> sessionId cookies.
> The rememberMe cookie does not have such an option and currently defaults to
> "LAX".
> —
> This issue is only present in spring applications. For spring, the Default
> (and abstract) web configuration has cookie templates, see
> [https://github.com/apache/shiro/blob/master/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java#L104-L120]
> This is not the case for servlet/jaxrs applications. They have options to
> configure those via the shiro.ini:
> {code:java}
> [main]
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> sessionManager.sessionIdCookieEnabled = true
> sessionManager.sessionIdCookie.secure = true
> sessionManager.sessionIdCookie.sameSite = STRICT
> securityManager.sessionManager = $sessionManager
> rememberMeManager = org.apache.shiro.web.mgt.CookieRememberMeManager
> rememberMeManager.cookie.secure = true
> rememberMeManager.cookie.sameSite = STRICT
> securityManager.rememberMeManager = $rememberMeManager {code}
> But for shiro, there is no such configuration. See the
> AbstractShiroWebConfiguration above.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
