CookieRequestCache should set SameSite on the REDIRECT_URI cookie

[2is10]

Describe the bug When using CookieRequestCache, Firefox complains:

Cookie “REDIRECT_URI” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

To Reproduce Configure your application to use CookieRequestCache, like so:

http.requestCache(config -> config.requestCache(new CookieRequestCache()));

Note that due to #2932 you likely also need to separately pass the CookieRequestCache to SavedRequestAwareAuthenticationSuccessHandler.

Expected behavior No warning in Firefox. The POST /login request should also not show up as “blocked”.

Sample

No sample provided. This is easy to try on any project.

[marcusdacoregio]

Hi @2is10, thanks for the report.

I believe that we could add some kind of customizer to the cookie in the CookieRequestCache implementation, similar to https://github.com/spring-projects/spring-security/pull/15203, what do you think?

I don't think that we should set a default value to that attribute tho, since the docs mention that the attribute is optional and, if not provided, a default value (defined by the browser) will be used.

[marcusdacoregio]

Closed via https://github.com/spring-projects/spring-security/pull/15685