SessionAutoConfiguration creates a DefaultCookieSerializer with a default SameSite of null instead of Lax

[antechrestos]

While upgrading to SB 4.1 I've spotted a strange behaviour (currently I have tests that tests the sameSite attribute on cookie serializer)

In springboot 4 the DefaultCookieSerializer is built with its sameSite attribute set to Lax.

Hwever, in SessionAutoConfiguration, we can see that PropertyMapper does not filter null values as it used to do and sets the sameSite attribute to the value read from properties, regardless to the fact that it might be null in properties.

In previous version, the property mapper used to be built with a setting of value non null.

I fear that it might change default behaviour for application not setting the server.servlet.session.cookie.same-site property.

[philwebb]

@antechrestos The PropertyMapper class was changed in 4.0.0 to support the @Nullable work. It now should effectively apply alwaysApplyingWhenNonNull() unless the always() method is used.

Can you share a small project with the test that fails in Spring Boot 4 but works in 3? Perhaps we've missed something.

[antechrestos]

Hi @philwebb

thank you for your quick reply.

Here is a demo project

Two branches:

• main in springboot 4.0.1
• feature/back-to-sb3 in 3.5.6

"Same" dependencies (web+ session in redis) and same tests.

• first one with full context
• second one with SessionAutoConfiguration context in a non war project

You will see that test in 4 fails while in 3.5 it works

    private WebApplicationContextRunner contextRunner = new WebApplicationContextRunner(
            AnnotationConfigServletWebApplicationContext::new
    ).withConfiguration(AutoConfigurations.of(SessionAutoConfiguration.class));

    @Test
    void runTest() {
        this.contextRunner.run((context) -> {
            DefaultCookieSerializer defaultCookieSerializer = context.getBean(DefaultCookieSerializer.class);
            String sameSite = (String) ReflectionTestUtils.getField(defaultCookieSerializer, "sameSite");
            assertThat(sameSite).isEqualTo("Lax");
        });
    }

[wilkinsona]

Thanks, @antechrestos. Here's a modified version of that test, adapted for inclusion in SessionAutoConfigurationTests:

@Test
void cookieSerializerUsesLaxSameSitePolicyByDefault() {
	this.contextRunner.run((context) -> {
		DefaultCookieSerializer cookieSerializer = context.getBean(DefaultCookieSerializer.class);
		assertThat(cookieSerializer).hasFieldOrPropertyWithValue("sameSite", "Lax");
	});
}

It passes in 3.5.x. In 4.0.x, it fails:

java.lang.AssertionError: 
Expecting
  org.springframework.session.web.http.DefaultCookieSerializer@38b972d7
to have a property or a field named "sameSite" with value
  "Lax"
but value was:
  null
(static and synthetic fields are ignored)
	at org.springframework.boot.session.autoconfigure.SessionAutoConfigurationTests.lambda$16(SessionAutoConfigurationTests.java:241)
	at org.springframework.boot.test.context.runner.AbstractApplicationContextRunner.accept(AbstractApplicationContextRunner.java:457)
	at org.springframework.boot.test.context.runner.AbstractApplicationContextRunner.consumeAssertableContext(AbstractApplicationContextRunner.java:371)
	at org.springframework.boot.test.context.runner.AbstractApplicationContextRunner.lambda$1(AbstractApplicationContextRunner.java:349)
	at org.springframework.boot.test.util.TestPropertyValues.lambda$5(TestPropertyValues.java:177)
	at org.springframework.boot.test.util.TestPropertyValues.applyToSystemProperties(TestPropertyValues.java:191)
	at org.springframework.boot.test.util.TestPropertyValues.applyToSystemProperties(TestPropertyValues.java:176)
	at org.springframework.boot.test.context.runner.AbstractApplicationContextRunner.lambda$0(AbstractApplicationContextRunner.java:349)
	at org.springframework.boot.test.context.runner.AbstractApplicationContextRunner.withContextClassLoader(AbstractApplicationContextRunner.java:377)
	at org.springframework.boot.test.context.runner.AbstractApplicationContextRunner.run(AbstractApplicationContextRunner.java:348)
	at org.springframework.boot.session.autoconfigure.SessionAutoConfigurationTests.cookieSerializerUsesLaxSameSitePolicyByDefault(SessionAutoConfigurationTests.java:239)

When it's null, the cookie serialiser omits the SameSite attribute so this is a regression.

[antechrestos]

@wilkinsona shall I gladly make a PR or is it something that will be dealt internally?

Thank you

[wilkinsona]

Thanks for the offer. I think we'll need to deal with this internally as the fix isn't completely straightforward. Removing always() fixes the new cookieSerializerUsesLaxSameSitePolicyByDefault test but breaks this existing test:

spring-boot/module/spring-boot-session/src/test/java/org/springframework/boot/session/autoconfigure/SessionAutoConfigurationTests.java

Lines 171 to 179 in a5ca146

	@Test
	void sessionCookieSameSiteOmittedIsAppliedToAutoConfiguredCookieSerializer() {
	this.contextRunner.withUserConfiguration(SessionRepositoryConfiguration.class)
	.withPropertyValues("server.servlet.session.cookie.sameSite=omitted")
	.run((context) -> {
	DefaultCookieSerializer cookieSerializer = context.getBean(DefaultCookieSerializer.class);
	assertThat(cookieSerializer).hasFieldOrPropertyWithValue("sameSite", null);
	});
	}

One way to fix both is this:

diff --git a/module/spring-boot-session/src/main/java/org/springframework/boot/session/autoconfigure/SessionAutoConfiguration.java b/module/spring-boot-session/src/main/java/org/springframework/boot/session/autoconfigure/SessionAutoConfiguration.java
index 7d0a9967779..5d7f0077fde 100644
--- a/module/spring-boot-session/src/main/java/org/springframework/boot/session/autoconfigure/SessionAutoConfiguration.java
+++ b/module/spring-boot-session/src/main/java/org/springframework/boot/session/autoconfigure/SessionAutoConfiguration.java
@@ -37,7 +37,6 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplicat
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.context.properties.PropertyMapper;
 import org.springframework.boot.web.server.Cookie;
-import org.springframework.boot.web.server.Cookie.SameSite;
 import org.springframework.boot.web.server.autoconfigure.ServerProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Conditional;
@@ -116,7 +115,11 @@ public final class SessionAutoConfiguration {
                                map.from(cookie::getHttpOnly).to(cookieSerializer::setUseHttpOnlyCookie);
                                map.from(cookie::getSecure).to(cookieSerializer::setUseSecureCookie);
                                map.from(cookie::getMaxAge).asInt(Duration::getSeconds).to(cookieSerializer::setCookieMaxAge);
-                               map.from(cookie::getSameSite).as(SameSite::attributeValue).always().to(cookieSerializer::setSameSite);
+                               map.from(cookie::getSameSite).to((sameSite) -> {
+                                       if (sameSite != null) {
+                                               cookieSerializer.setSameSite(sameSite.attributeValue());
+                                       }
+                               });
                                map.from(cookie::getPartitioned).to(cookieSerializer::setPartitioned);
                                cookieSerializerCustomizers.orderedStream()
                                        .forEach((customizer) -> customizer.customize(cookieSerializer));

However, I'd like to discuss this with @philwebb and @mhalbritter as the behavior of the PropertyMapper isn't the same as it was in 3.5 when using alwaysApplyingWhenNonNull(). We may want to make some changes to the PropertyMapper instead.

[antechrestos]

@wilkinsona ah OK thanks for the clarification.
Good luck 😏