Olav Grønås Gjerde

profile image
Full stack system architect with passion for Unix, Java, Python and databases.
Twitter @olavgg
1 year ago

How to set Grails or Spring Boot JSESSIONID Cookie SameSite Strict

Firefox recently displayed a warning that cookies without samesite attribute would stop working soon.

This can be done by creating a new bean ->

    import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
    import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
    import org.springframework.boot.web.servlet.server.ServletWebServerFactory;

    @Bean
    ServletWebServerFactory servletContainer() {
        return new TomcatServletWebServerFactory() {
            @Override
            protected void postProcessContext(Context context) {
                Rfc6265CookieProcessor rfc6265Processor = new Rfc6265CookieProcessor();
                rfc6265Processor.setSameSiteCookies("Strict");
                context.setCookieProcessor(rfc6265Processor);
            }
        };
    }

For those of you who are new to beans in Grails, you can just copy this method into the default Application class in Grails. This example was done with Grails 4. If you use an older version where this is unsupported, you can also modify set cookie header with either Apache or Nginx.