search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.45k stars 5.76k forks source link

Allow customizing AbstractRememberMeServices cookie #14990

Open ooraini opened 2 weeks ago

ooraini commented 2 weeks ago

Expected Behavior

Current Behavior

Context

I want to set the same-site attribute for the remember-me cookie. The servlet Cookie class exposes the setAttribute method to modify the cookie attribute. We can add setCookeAttribute to AbstractRememberMeServices or offer a post-processor style API that allows clients to modify the cookie:

363
    protected void setCookie(String[] tokens, int maxAge, HttpServletRequest request, HttpServletResponse response) {
        String cookieValue = encodeCookie(tokens);
        Cookie cookie = new Cookie(this.cookieName, cookieValue);
        cookie.setMaxAge(maxAge);
        cookie.setPath(getCookiePath(request));
        if (this.cookieDomain != null) {
            cookie.setDomain(this.cookieDomain);
        }
        if (maxAge < 1) {
            cookie.setVersion(1);
        }
        cookie.setSecure((this.useSecureCookie != null) ? this.useSecureCookie : request.isSecure());
        cookie.setHttpOnly(true);

                 this.cookiePostProcessor.accept(cookie); // NEW

        response.addCookie(cookie);
    }

And the same thing for the configurer