Spring session does not redirect back to original request

[naspredam]

We are using spring-session, in order to store the session on the database (jdbc). The version we were using is:

    implementation "org.springframework.session:spring-session-core:2.0.10.RELEASE"
    implementation "org.springframework.session:spring-session-jdbc:2.0.10.RELEASE"

We have front end and backend decoupled, so, on the login endpoint we send a query param with the redirectBack on the front end, and this was working on this version. What it doing is (we are using SAML 2.0):

/login?redirectBack=/blablabla -> login to SAML -> /login?redirectBack=/blablabla

When we upgrade do spring boot 2.2.4-RELEASE we removed the version to have the latest version 2.2.0-RELEASE (2.0.10.RELEASE does not work on this spring-boot version), and when we login (we are using SAML2.0) it always redirect back to /...

/login?redirectBack=/blablabla -> login to SAML -> /

We saw that not only on 2.2.0-RELEASE of the spring-session was happening this issue, any version after 2.0.x-RELEASE.

Just as a note, we are using the spring-saml-dsl, and we tried to use some standard solution to redirect back to the original request, but this kind of interfers with spring saml dsl.

[eleftherias]

Thank you for the report @naspredam.

This behaviour occurs because the redirect URI is saved in the session, while the SameSite attribute is set to Lax on the session cookie.
This means that the session cookie will not be included in any POST requests to your application.

In the SAML flow, the identity provider sends a POST requests to your application at {baseUrl}/login/saml2/sso/{registrationId}.

In older versions, the session cookie was included in that request because the SameSite attribute is not specified. This means that the application can read the redirect URI from the session cookie and redirect the user back to where they started.

In the latest versions, the session cookie is not included in that request because the SameSite attribute is set to Lax. This means that the application cannot access the redirect URI either.

You can read more about the SameSite attribute here.

A possible workaround is to set the SameSite enforcement back to None, which you can do using a custom CookieSerializer.

For example:

@Bean
public CookieSerializer cookieSerializer() {
	DefaultCookieSerializer serializer = new DefaultCookieSerializer();
	serializer.setCookieName("SESSION");
	serializer.setCookiePath("/");
	serializer.setDomainNamePattern("^.+?\\.(\\w+\\.[a-z]+)$");
	serializer.setSameSite(null);
	return serializer;
}

Note that this workaround is not ideal, since it allows the session cookie to be included in any request to your application. This can make your application vulnerable to CSRF attacks.

[naspredam]

Thanks @eleftherias for the workaround.

But just wondering, if this is not recommendable due to CSRF vulnerabilities, what is the recommended in case I have configured SAML with spring-session and I would like to track a redirectBack?

[naspredam]

As per no reply, I am closing this issue. No solution just a workaround, which has security implications.