Improve Single-Sign-On Redirect for SameSite=Lax and SameSite=Strict

[jzheaux]

Lax + POST mitigation as well as the following Spring Security tickets:

• https://github.com/spring-projects/spring-security/issues/14013
• https://github.com/spring-projects/spring-security/issues/11468

explain some of the difficulties around using SameSite=Lax or SameSite=Strict when using SSO technologies like SAML and others that redirect with a POST.

There are a few ways to consider:

• Provide an implementation of CookieSameSiteSupplier that writes the session cookie as SameSite=None pre-login and as SameSite=Strict post-login (Boot-specific solution)

• Have the session cookie always be SameSite=None and introduce a SameSite=Strict correlation cookie when authentication succeeds. The correlation cookie has a secure random value that must match a certain session attribute, lest the session be invalidated.

• Add a separate SameSite=None cookie whose opaque token references pre-login information, the opaque token could be the RelayState. It would be created when login begins and destroyed when login completes either successfully or unsuccessfully.

• Use the Artifact binding instead (SAML-specific). Such allows the redirect from the IdP to be a GET instead of a POST.

[jzheaux]

Boot applications can achieve the first bullet by doing:

private static final String NAME = Authentication.class.getName();

@EventListener
public void onAuthenticationSuccess(AuthenticationSuccessEvent event) {
    RequestAttributes attributes = RequestContextHolder.currentRequestAttributes();
    attributes.setAttribute(NAME, event.getAuthentication(), RequestAttributes.SCOPE_REQUEST);
}

@Bean
public CookieSameSiteSupplier authenticationBased() {
    CookieSameSiteSupplier supplier = (cookie) -> {
        RequestAttributes attributes = RequestContextHolder.currentRequestAttributes();
        Authentication authentication = (Authentication) attributes.getAttribute(NAME, RequestAttributes.SCOPE_REQUEST);
        return (authentication == null || !authentication.isAuthenticated()) ?
                Cookie.SameSite.NONE : Cookie.SameSite.STRICT;
    };
    return supplier.whenHasName("JSESSIONID");
}

[skshitiz-vmw]

To add one scenario related to the first bullet: if we try to set Cookie.SameSite as none in http application (not https secure), we will get ERR_TOO_MANY_REDIRECTS as the application will redirect too many times because Cookie.Secure = true won't work until the application uses https, not http.

[VivionLin]

My project is using 3.2.5. The CookieSameSiteSupplier not work for me because Saml2WebSsoAuthenticationRequestFilter finally uses CookieHttpSessionIdResolver and then DefaultCookieSerializer to write the session cookie.