[ https://issues.apache.org/jira/browse/SHIRO-789?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Demers updated SHIRO-789: ------------------------------- Fix Version/s: (was: 1.6.1) 1.7.0 > Also add cookie SameSite option to Spring > ----------------------------------------- > > Key: SHIRO-789 > URL: https://issues.apache.org/jira/browse/SHIRO-789 > Project: Shiro > Issue Type: New Feature > Components: Integration: Spring > Affects Versions: 1.5.3 > Reporter: Benjamin Marwell > Priority: Major > Fix For: 2.0.0, 1.7.0 > > Time Spent: 2.5h > Remaining Estimate: 0h > > https://issues.apache.org/jira/browse/SHIRO-722 added sameSite-Options to the > sessionId cookies. > The rememberMe cookie does not have such an option and currently defaults to > "LAX". > — > This issue is only present in spring applications. For spring, the Default > (and abstract) web configuration has cookie templates, see > [https://github.com/apache/shiro/blob/master/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java#L104-L120] > This is not the case for servlet/jaxrs applications. They have options to > configure those via the shiro.ini: > {code:java} > [main] > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > sessionManager.sessionIdCookieEnabled = true > sessionManager.sessionIdCookie.secure = true > sessionManager.sessionIdCookie.sameSite = STRICT > securityManager.sessionManager = $sessionManager > rememberMeManager = org.apache.shiro.web.mgt.CookieRememberMeManager > rememberMeManager.cookie.secure = true > rememberMeManager.cookie.sameSite = STRICT > securityManager.rememberMeManager = $rememberMeManager {code} > But for shiro, there is no such configuration. See the > AbstractShiroWebConfiguration above. -- This message was sent by Atlassian Jira (v8.3.4#803005)