spring-session icon indicating copy to clipboard operation
spring-session copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Support for Partitioned cookie attribute

Open bachkilan opened this issue 1 year ago • 2 comments

Expected Behavior

able to add Partitioned cookie attribute for spring session in DefaultCookieSerializer

Current Behavior

no field available for partitioned

Context

This is relevant for webapps embedded in IFrames across domains, typically those which already have configured "SameSite=None" cookie attribute: starting 2024, Google/Chrome will start phasing out third-party cookies, see https://developers.google.com/privacy-sandbox/3pcd

we need to have this attribute set to have our site working embedded in chrome.

bachkilan avatar Feb 09 '24 23:02 bachkilan

Hi, @bachkilan. Thanks for the report.

I believe that we can add a setCookieCustomizer(Consumer<ResponseCookie.ResponseCookieBuilder> cookieCustomizer) that would allow us to customize any attribute available in ResponseCookieBuilder. It would look like https://github.com/spring-projects/spring-security/pull/12237. It would also deprecate the other attribute's setter methods since we will prefer to set your own customizer than setting each attribute individually.

Are you interested in submitting a PR that adds the new setter?

marcusdacoregio avatar Feb 14 '24 16:02 marcusdacoregio

Related https://github.com/spring-projects/spring-framework/issues/31454

marcusdacoregio avatar Mar 11 '24 13:03 marcusdacoregio

Related spring-projects/spring-framework#31454

And I add the same comment here: We are still on Spring Boot v2.7.18, using Spring v5.3.31. Just have a bunch of 120 customers with 10000 end users using the app in IFRAME and this will force customers to remove IFRAME, which will be a royal pain for us.

4braincells avatar Jun 11 '24 18:06 4braincells

@marcusdacoregio Did you guys forget to add the auto configuration? Or was that intentionally skipped?

See https://github.com/spring-projects/spring-session/blob/3.4.0-M2/spring-session-core/src/main/java/org/springframework/session/config/annotation/web/http/SpringHttpSessionConfiguration.java#L180

I'd have expected that setting partitioned: 'true' in application.yaml would work

server:
  servlet:
    session:
      cookie:
        same-site: 'none'
        partitioned: 'true'  # <--- ignored?
        secure: 'true' # <-- coincidentally also not ignored?

but based on the code it looks like nothing reads it.

miskr-instructure avatar Sep 13 '24 16:09 miskr-instructure

Hi @miskr-instructure. Application properties are a feature of Spring Boot. Please open an enhancement request on their issue tracker.

marcusdacoregio avatar Sep 13 '24 16:09 marcusdacoregio

^ Hopefully will work with config after https://github.com/spring-projects/spring-boot/pull/42316

miskr-instructure avatar Sep 16 '24 08:09 miskr-instructure