Configure SameSite attribute on session Cookies for Spring WebFlux #20970
Description
This issue is about configuring the SameSite attribute in a consistent way for session cookies in Spring WebFlux.
Here's a link explaining the basics about SameSite Cookie attribute: https://web.dev/samesite-cookies-explained/
Google Chrome and other browsers are about to enforce new security policies for SameSite attributes in Cookies. See:
- Chromium timeline for SameSite updates: https://www.chromium.org/updates/same-site
- Initial announcement: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
- Rollout is delayed: https://blog.chromium.org/2020/04/temporarily-rolling-back-samesite.html
As explained by Rossen here, Spring WebFlux is managing its own Cookie abstraction and supports the SameSite attribute already - throught a custom serializer or native support of the Web Server.
Spring Boot could provide configuration properties to change the SameSite attribute for session cookies.
See #15047 for more information, in the context of the same improvement for Spring Session.