Add support for unsetting the Session Cookie SameSite #44714

filiphr · 2025-03-14T09:40:50Z

The main reason for this pull request is to make it easier to disable setting the SameSite cookie in the Spring Session CookieSerializer. The default for the Spring Session is Lax. However, this does not work when using SAML with POST redirect, when the cookie is Lax, then the session cookie will not be sent when the redirect happens and thus the authentication will not work (see https://stackoverflow.com/questions/60068271/samesite-attribute-break-saml-flow/60096206#60096206 and https://www.linkedin.com/pulse/samesite-cookie-infinite-redirections-saml-digvijay-singh/).

The current workaround I have is to expose the following bean

@Bean
public DefaultCookieSerializerCustomizer disableSameSite() {
    return cookieSerializer -> cookieSerializer.setSameSite(null);
}

i.e. use the serializer to disable the cookie.

If this PR is accepted it would make it easier to configure this without the need to expose a bean by just doing

server.servlet.session.cookie.same-site=unset

Signed-off-by: Filip Hrisafov <filip.hrisafov@gmail.com>

spring-projects-issues added the status: waiting-for-triage label Mar 14, 2025

filiphr force-pushed the unset-same-site branch from 51f55fd to f8f0a42 Compare March 14, 2025 10:04

Add support for unsetting the Session Cookie SameSite

0307025

Signed-off-by: Filip Hrisafov <filip.hrisafov@gmail.com>

filiphr force-pushed the unset-same-site branch from 5aca789 to eca72bd Compare March 14, 2025 15:01

Fix failing test

3d808be

Signed-off-by: Filip Hrisafov <filip.hrisafov@gmail.com>

filiphr force-pushed the unset-same-site branch from eca72bd to 3d808be Compare March 14, 2025 15:22

Provide feedback