javax.servlet.http.Cookie does not have an API to grant the SameSite attribute. It is a response in such a case. By the way, the SameSite attribute is supported by almost all browsers. Reference

Use the Set-Cookie header instead of the cookie class

I will try it with Spring boot.

public class DemoController {

    @GetMapping(value = "/")
    public String index(HttpServletResponse response) {

	    String name = "name";
	    String value = "takeshi";

	    String cookie = String.format("%s=%s; max-age=3600; Path=/; HttpOnly; Secure; SameSite=Lax;", name, value);

	    response.addHeader("Set-Cookie", cookie);

	    return "hello, world!";

Takeshi has entered safely.

Spring Boot

Spring Boot has a class called ResponseCookie that creates a cookie string for the header. If you use this class and return the response set by Set-Cookie, the cookie will be set.

public class DemoController {
    @GetMapping(value = "/")
    public String index(HttpServletRequest request, HttpServletResponse response) {

        String name = "name";
        String value = "takeshi";

        ResponseCookie cookie = ResponseCookie.from(name, value).domain("localhost").maxAge(Duration.ofDays((long) 1))
        response.addHeader("Set-Cookie", cookie.toString());

        return "Hello, World";


If you write cookies frequently, it seems better to create a custom class that receives and sets parameters. Alternatively, you can make batch settings on the Web server side such as Apache or nginx. Reference


