You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Benjamin Marwell (Jira)" <ji...@apache.org> on 2020/08/16 16:59:00 UTC
[jira] [Updated] (SHIRO-789) Also add cookie SameSite option to
rememberMe cookies
[ https://issues.apache.org/jira/browse/SHIRO-789?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Benjamin Marwell updated SHIRO-789:
-----------------------------------
Description:
https://issues.apache.org/jira/browse/SHIRO-722 added sameSite-Options to the sessionId cookies.
The rememberMe cookie does not have such an option and currently defaults to "LAX".
---
This issue is only present in non-spring applications. For spring, the Default (and abstract) web configuration has cookie templates, see [https://github.com/apache/shiro/blob/master/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java#L104-L120]
This is not the case for servlet/jaxrs applications.
The {color:#0747a6}{{SecurityManager}}{color} creates a {color:#0747a6}{{CookieRememberMeManager}}{color} and a {color:#0747a6}{{ServletContainerSessionManager}}{color}, which is usually being overwritten by Using a {color:#0747a6}{{DefaultWebSessionManager}}{color}. It has a {color:#0747a6}{{sessionIdCookie}}{color} property, which will usually receive some default configuration (as a cookie template).
was:
https://issues.apache.org/jira/browse/SHIRO-722 added sameSite-Options to the sessionId cookies.
The rememberMe cookie does not have such an option and currently defaults to "LAX".
> Also add cookie SameSite option to rememberMe cookies
> -----------------------------------------------------
>
> Key: SHIRO-789
> URL: https://issues.apache.org/jira/browse/SHIRO-789
> Project: Shiro
> Issue Type: New Feature
> Components: Web
> Affects Versions: 1.5.3
> Reporter: Benjamin Marwell
> Priority: Major
>
> https://issues.apache.org/jira/browse/SHIRO-722 added sameSite-Options to the sessionId cookies.
> The rememberMe cookie does not have such an option and currently defaults to "LAX".
> ---
> This issue is only present in non-spring applications. For spring, the Default (and abstract) web configuration has cookie templates, see [https://github.com/apache/shiro/blob/master/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java#L104-L120]
> This is not the case for servlet/jaxrs applications.
> The {color:#0747a6}{{SecurityManager}}{color} creates a {color:#0747a6}{{CookieRememberMeManager}}{color} and a {color:#0747a6}{{ServletContainerSessionManager}}{color}, which is usually being overwritten by Using a {color:#0747a6}{{DefaultWebSessionManager}}{color}. It has a {color:#0747a6}{{sessionIdCookie}}{color} property, which will usually receive some default configuration (as a cookie template).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)