[shiro] branch master updated: deleteMe cookie should use the defined "sameSite"

[bd...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

bdemers pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/shiro.git


The following commit(s) were added to refs/heads/master by this push:
     new c5e8075  deleteMe cookie should use the defined "sameSite"
     new c632a62  Merge pull request #257 from FredTreg/patch-1
c5e8075 is described below

commit c5e80757f67d4b5c3849f3e25b4bac470384e9c2
Author: Frederic Tregon <fr...@codingame.com>
AuthorDate: Thu Oct 1 11:11:53 2020 +0200

    deleteMe cookie should use the defined "sameSite"
    
    With Chrome increasing security of cookies not defining any SameSite options, the deleteMe cookie may be blocked by Chrome under some circumstances.
    For example, when an app is used within a cross-site iframe, one must defined the option SameSite=None option. This works for the main cookie, but the deleteMe is currently blocked. This commit fixes this.
---
 web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java b/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java
index a084e4f..fe28f3d 100644
--- a/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java
+++ b/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java
@@ -398,7 +398,7 @@ public class SimpleCookie implements Cookie {
         int version = getVersion();
         boolean secure = isSecure();
         boolean httpOnly = false; //no need to add the extra text, plus the value 'deleteMe' is not sensitive at all
-        SameSiteOptions sameSite = null;
+        SameSiteOptions sameSite = getSameSite();
 
         addCookieHeader(response, name, value, comment, domain, path, maxAge, version, secure, httpOnly, sameSite);