Add support for unsetting the Session Cookie SameSite

Author: filiphr

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java

@@ -97,7 +97,9 @@ DefaultCookieSerializer cookieSerializer(ServerProperties serverProperties,
 			map.from(cookie::getHttpOnly).to(cookieSerializer::setUseHttpOnlyCookie);
 			map.from(cookie::getSecure).to(cookieSerializer::setUseSecureCookie);
 			map.from(cookie::getMaxAge).asInt(Duration::getSeconds).to(cookieSerializer::setCookieMaxAge);
-			map.from(cookie::getSameSite).as(SameSite::attributeValue).to(cookieSerializer::setSameSite);
+			map.from(cookie::getSameSite)
+				.as((sameSite) -> (sameSite == SameSite.UNSET) ? null : sameSite.attributeValue())
+				.to(cookieSerializer::setSameSite);
 			map.from(cookie::getPartitioned).to(cookieSerializer::setPartitioned);
 			cookieSerializerCustomizers.orderedStream().forEach((customizer) -> customizer.customize(cookieSerializer));
 			return cookieSerializer;

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/WebSessionIdResolverAutoConfiguration.java

@@ -82,7 +82,7 @@ private void initializeCookie(ResponseCookieBuilder builder) {
 
 	private String getSameSite(Cookie properties) {
 		SameSite sameSite = properties.getSameSite();
-		return (sameSite != null) ? sameSite.attributeValue() : null;
+		return (sameSite != null && sameSite != SameSite.UNSET) ? sameSite.attributeValue() : null;
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/session/SessionAutoConfigurationTests.java

@@ -170,6 +170,16 @@ void sessionCookieConfigurationIsAppliedToAutoConfiguredCookieSerializer() {
 			});
 	}
 
+	@Test
+	void sessionCookieSameSiteUnsetIsAppliedToAutoConfiguredCookieSerializer() {
+		this.contextRunner.withUserConfiguration(SessionRepositoryConfiguration.class)
+			.withPropertyValues("server.servlet.session.cookie.sameSite=unset")
+			.run((context) -> {
+				DefaultCookieSerializer cookieSerializer = context.getBean(DefaultCookieSerializer.class);
+				assertThat(cookieSerializer).hasFieldOrPropertyWithValue("sameSite", null);
+			});
+	}
+
 	@Test
 	void autoConfiguredCookieSerializerIsUsedBySessionRepositoryFilter() {
 		this.contextRunner.withUserConfiguration(SessionRepositoryConfiguration.class)

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/reactive/WebFluxAutoConfigurationTests.java

@@ -676,6 +676,15 @@ void customSessionCookieConfigurationShouldBeApplied() {
 			}));
 	}
 
+	@Test
+	void sessionCookieUnsetConfigurationShouldBeApplied() {
+		this.contextRunner.withPropertyValues("server.reactive.session.cookie.same-site:unset")
+			.run(assertExchangeWithSession((exchange) -> {
+				List<ResponseCookie> cookies = exchange.getResponse().getCookies().get("SESSION");
+				assertThat(cookies).extracting(ResponseCookie::getSameSite).containsOnlyNulls();
+			}));
+	}
+
 	@ParameterizedTest
 	@ValueSource(classes = { ServerProperties.class, WebFluxProperties.class })
 	void propertiesAreNotEnabledInNonWebApplication(Class<?> propertiesClass) {

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/jetty/JettyServletWebServerFactory.java

@@ -284,7 +284,7 @@ protected final void configureWebAppContext(WebAppContext context, ServletContex
 	private void configureSession(WebAppContext context) {
 		SessionHandler handler = context.getSessionHandler();
 		SameSite sessionSameSite = getSession().getCookie().getSameSite();
-		if (sessionSameSite != null) {
+		if (sessionSameSite != null && sessionSameSite != SameSite.UNSET) {
 			handler.setSameSite(HttpCookie.SameSite.valueOf(sessionSameSite.name()));
 		}
 		Duration sessionTimeout = getSession().getTimeout();

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TomcatServletWebServerFactory.java

@@ -998,7 +998,7 @@ private static class SuppliedSameSiteCookieProcessor extends Rfc6265CookieProces
 		@Override
 		public String generateHeader(Cookie cookie, HttpServletRequest request) {
 			SameSite sameSite = getSameSite(cookie);
-			if (sameSite == null) {
+			if (sameSite == null || sameSite == SameSite.UNSET) {
 				return super.generateHeader(cookie, request);
 			}
 			Rfc6265CookieProcessor delegate = new Rfc6265CookieProcessor();

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/undertow/UndertowServletWebServerFactory.java

@@ -635,7 +635,10 @@ public void handleRequest(HttpServerExchange exchange) throws Exception {
 		private void beforeCommit(HttpServerExchange exchange) {
 			for (Cookie cookie : exchange.responseCookies()) {
 				SameSite sameSite = getSameSite(asServletCookie(cookie));
-				if (sameSite != null) {
+				if (sameSite == SameSite.UNSET) {
+					cookie.setSameSite(false);
+				}
+				else if (sameSite != null) {
 					cookie.setSameSiteMode(sameSite.attributeValue());
 				}
 			}

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/server/Cookie.java

@@ -145,6 +145,11 @@ public void setPartitioned(Boolean partitioned) {
 	 */
 	public enum SameSite {
 
+		/**
+		 * Don't set the SameSite cookie attribute.
+		 */
+		UNSET("Unset"),
+
 		/**
 		 * Cookies are sent in both first-party and cross-origin requests.
 		 */

spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/servlet/server/AbstractServletWebServerFactoryTests.java

@@ -881,7 +881,7 @@ void sessionCookieConfiguration() {
 	}
 
 	@ParameterizedTest
-	@EnumSource
+	@EnumSource(mode = EnumSource.Mode.EXCLUDE, names = "UNSET")
 	void sessionCookieSameSiteAttributeCanBeConfiguredAndOnlyAffectsSessionCookies(SameSite sameSite) throws Exception {
 		AbstractServletWebServerFactory factory = getFactory();
 		factory.getSession().getCookie().setSameSite(sameSite);
@@ -896,7 +896,7 @@ void sessionCookieSameSiteAttributeCanBeConfiguredAndOnlyAffectsSessionCookies(S
 	}
 
 	@ParameterizedTest
-	@EnumSource
+	@EnumSource(mode = EnumSource.Mode.EXCLUDE, names = "UNSET")
 	void sessionCookieSameSiteAttributeCanBeConfiguredAndOnlyAffectsSessionCookiesWhenUsingCustomName(SameSite sameSite)
 			throws Exception {
 		AbstractServletWebServerFactory factory = getFactory();
@@ -949,6 +949,23 @@ void cookieSameSiteSuppliersShouldNotAffectSessionCookie() throws IOException, U
 				(header) -> assertThat(header).contains("test=test").contains("SameSite=Strict"));
 	}
 
+	@Test
+	void cookieSameSiteSuppliersShouldNotAffectUnsetSameSite() throws IOException, URISyntaxException {
+		AbstractServletWebServerFactory factory = getFactory();
+		factory.getSession().getCookie().setSameSite(SameSite.UNSET);
+		factory.getSession().getCookie().setName("SESSIONCOOKIE");
+		factory.addCookieSameSiteSuppliers(CookieSameSiteSupplier.ofStrict());
+		factory.addInitializers(new ServletRegistrationBean<>(new CookieServlet(false), "/"));
+		this.webServer = factory.getWebServer();
+		this.webServer.start();
+		ClientHttpResponse clientResponse = getClientResponse(getLocalUrl("/"));
+		assertThat(clientResponse.getStatusCode()).isEqualTo(HttpStatus.OK);
+		List<String> setCookieHeaders = clientResponse.getHeaders().get("Set-Cookie");
+		assertThat(setCookieHeaders).satisfiesExactlyInAnyOrder(
+				(header) -> assertThat(header).contains("SESSIONCOOKIE").doesNotContain("SameSite"),
+				(header) -> assertThat(header).contains("test=test").contains("SameSite=Strict"));
+	}
+
 	@Test
 	protected void sslSessionTracking() {
 		AbstractServletWebServerFactory factory = getFactory();