Add SameSite attribute to cookie in Java
(20/01/08 19:45 postscript)
Overview
javax.servlet.http.Cookie does not have an API to grant the SameSite attribute. It is a response in such a case. By the way, the SameSite attribute is supported by almost all browsers. Reference
Use the Set-Cookie header instead of the cookie class
I will try it with Spring boot.
@RestController
public class DemoController {
@GetMapping(value = "/")
public String index(HttpServletResponse response) {
String name = "name";
String value = "takeshi";
String cookie = String.format("%s=%s; max-age=3600; Path=/; HttpOnly; Secure; SameSite=Lax;", name, value);
response.addHeader("Set-Cookie", cookie);
return "hello, world!";
}
Takeshi has entered safely.
Spring Boot
Spring Boot has a class called ResponseCookie that creates a cookie string for the header. If you use this class and return the response set by Set-Cookie, the cookie will be set.
@RestController
public class DemoController {
@GetMapping(value = "/")
public String index(HttpServletRequest request, HttpServletResponse response) {
String name = "name";
String value = "takeshi";
ResponseCookie cookie = ResponseCookie.from(name, value).domain("localhost").maxAge(Duration.ofDays((long) 1))
.httpOnly(true).secure(true).sameSite("Strict").build();
response.addHeader("Set-Cookie", cookie.toString());
return "Hello, World";
}
}
If you write cookies frequently, it seems better to create a custom class that receives and sets parameters. Alternatively, you can make batch settings on the Web server side such as Apache or nginx. Reference
reference
Class Cookie https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
Recommended Posts