Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow customizing AbstractRememberMeServices cookie #14990

Closed
ooraini opened this issue Apr 30, 2024 · 1 comment · Fixed by #15203
Closed

Allow customizing AbstractRememberMeServices cookie #14990

ooraini opened this issue Apr 30, 2024 · 1 comment · Fixed by #15203
Assignees
@marcusdacoregio
Labels
in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement
Milestone
6.4.0-M1

Comments

@ooraini
Copy link

ooraini commented Apr 30, 2024

Expected Behavior

Current Behavior

Context

I want to set the same-site attribute for the remember-me cookie. The servlet Cookie class exposes the setAttribute method to modify the cookie attribute. We can add setCookeAttribute to AbstractRememberMeServices or offer a post-processor style API that allows clients to modify the cookie:

363
	protected void setCookie(String[] tokens, int maxAge, HttpServletRequest request, HttpServletResponse response) {
		String cookieValue = encodeCookie(tokens);
		Cookie cookie = new Cookie(this.cookieName, cookieValue);
		cookie.setMaxAge(maxAge);
		cookie.setPath(getCookiePath(request));
		if (this.cookieDomain != null) {
			cookie.setDomain(this.cookieDomain);
		}
		if (maxAge < 1) {
			cookie.setVersion(1);
		}
		cookie.setSecure((this.useSecureCookie != null) ? this.useSecureCookie : request.isSecure());
		cookie.setHttpOnly(true);

                 this.cookiePostProcessor.accept(cookie); // NEW

		response.addCookie(cookie);
	}

And the same thing for the configurer
@ooraini ooraini added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Apr 30, 2024
@marcusdacoregio marcusdacoregio self-assigned this May 23, 2024
@marcusdacoregio marcusdacoregio added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels May 23, 2024
@marcusdacoregio
Copy link
Contributor

Hi, @ooraini. Thanks for the suggestion.

I believe we can add something like we have in CookieCsrfTokenRepository. Would you be interested in submitting a PR that adds a new cookieCustomizer field, following what I linked above?

@marcusdacoregio marcusdacoregio added the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label May 23, 2024
CrazyParanoid pushed a commit to CrazyParanoid/spring-security that referenced this issue Jun 5, 2024
Add support remember-me cookie customization
21119ea 
Closes spring-projectsgh-14990
@CrazyParanoid CrazyParanoid mentioned this issue Jun 5, 2024
Merged
marcusdacoregio pushed a commit that referenced this issue Jun 5, 2024
@marcusdacoregio
Add support remember-me cookie customization
44f9396 
Closes gh-14990
@marcusdacoregio marcusdacoregio added the status: duplicate A duplicate of another issue label Jun 5, 2024
@marcusdacoregio marcusdacoregio added this to the 6.4.0-M1 milestone Jun 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement
Projects
None yet
Milestone
6.4.0-M1
Development

Successfully merging a pull request may close this issue.

Add support remember-me cookie customization CrazyParanoid/spring-security
2 participants
@ooraini @marcusdacoregio