You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Brian Demers (Jira)" <ji...@apache.org> on 2020/10/19 22:21:00 UTC

[jira] [Updated] (SHIRO-789) Also add cookie SameSite option to Spring

     [ https://issues.apache.org/jira/browse/SHIRO-789?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brian Demers updated SHIRO-789:
-------------------------------
    Fix Version/s:     (was: 1.6.1)
                   1.7.0

> Also add cookie SameSite option to Spring
> -----------------------------------------
>
>                 Key: SHIRO-789
>                 URL: https://issues.apache.org/jira/browse/SHIRO-789
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Integration: Spring
>    Affects Versions: 1.5.3
>            Reporter: Benjamin Marwell
>            Priority: Major
>             Fix For: 2.0.0, 1.7.0
>
>          Time Spent: 2.5h
>  Remaining Estimate: 0h
>
> https://issues.apache.org/jira/browse/SHIRO-722 added sameSite-Options to the sessionId cookies.
> The rememberMe cookie does not have such an option and currently defaults to "LAX".
> —
> This issue is only present in spring applications. For spring, the Default (and abstract) web configuration has cookie templates, see [https://github.com/apache/shiro/blob/master/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java#L104-L120]
> This is not the case for servlet/jaxrs applications. They have options to configure those via the shiro.ini:
> {code:java}
> [main]
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> sessionManager.sessionIdCookieEnabled = true
> sessionManager.sessionIdCookie.secure = true
> sessionManager.sessionIdCookie.sameSite = STRICT
> securityManager.sessionManager = $sessionManager
> rememberMeManager = org.apache.shiro.web.mgt.CookieRememberMeManager
> rememberMeManager.cookie.secure = true
> rememberMeManager.cookie.sameSite = STRICT
> securityManager.rememberMeManager = $rememberMeManager {code}
> But for shiro, there is no such configuration. See the AbstractShiroWebConfiguration above.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)