Why is Spring Security setting CSRF cookie with SameSite=None attribute?
I have a Springboot application with Spring Security 6 and a single page application for frontend (Vue). I configured anti-CSRF using the exact same config as the one described in the documentation. The backend and the frontend are both running on localhost but on separated ports so I have CORS configuration enabled.
The XSRF-TOKEN cookie set has the attribute SameSite=None
Why is Spring Security setting the cookie with SameSite=None?
Since your backend and frontend are on different ports they are not considered to be on the same site, hence SameSite is set to None otherwise you would not be getting the cookie at all.
SameSite includes host and port.
So localhost:8080 is not the same site as localhost:3000.
Also please note that you cant have same site None and Secured false, Secure true is only allowed in HTTPS requests, and SameSite None is only allowed when having Secured True (so only in HTTPS requests).
You can read more about the attributes here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value
So this is mainly set as such because of those reasons and are a compromise to make your application working locally.
- response.clearCookie() followed by response.cookie() leads to 2 same-name cookies
- Why is my PHP session data not persisting across pages?
- How can I set a cookie with expire time?
- Cookies in Set-Cookie are being ignored by browser
- Recommended method to prevent any content inside iframe from setting cookies
- Unable to access cookie in domain that is set in subdomain
- What is the difference between localStorage, sessionStorage, session and cookies?
- How do I create and read a value from cookie with javascript?
- Laravel Session always changes every refresh / request in Laravel 5.4
- How handle refresh token and access token for auth system
- Is there any way to get stored cookies from a different domain?
- Go Gin ctx.SetCookie can't clear cookie for a specific domain
- React Native - Use cookies to authenticate in WebView
- How to store httpOnly cookie after redirect from custom SSO?
- Where to store the refresh token on the Client?
- How to store this data in cookies?
- Using Cookie to set username and password via Javascript
- Access token and Refresh token best practices ? How to implement Access & Refresh Tokens
- Cookie XSRF-TOKEN created without the httponly flag - Laravel 5.8
- Browser does not store Http Cookie from ASP.NET Web API Docker
- How does cookie-based authentication work?
- How to handle cookies securely during the REST API call in SWIFT 3 or 4?
- How to access a website that requires login via cookies
- How to read a HttpOnly cookie using JavaScript
- Angular: Cookie not available in the first execution of APP_INITIALIZER function, component renders with initial value and re-renders with new value
- Login session id's with hash
- How to retrieve a value from ngx-cookie-service before the app loads?
- Why is Spring Security setting CSRF cookie with SameSite=None attribute?
- Render.com: HttpOnly Cookie not being set in browser storage when doing res.cookie between Web Services
- Parse cookie string in golang