What I have:
- I have sprint boot api, and angular app in diferents domains (not subdomains), and is not an option change it.
- I only grant access by cors to my angular domain app.
What I need:
- I need use Csrf cookie with samesite=none to allow authentication from Chrome browser, beacuse it doesn't work, I think because of default samesite=lax default policy. In firefox is working ok.
What I tried
- I have updated to spring 2.7 to try use
server.servlet.session.cookie.same-site= none
property, but it only affect to JSESSIONID cookie. It didn`t work with csrf cookie. - I have updated to spring 3 to try use CookieCsrfTokenRepository.setCookieCustomizer() method, I can`t found information about I can use this method to configure the cookie
- I tried to implement OncePerRequestFilter and modied header
Set-cookie
, but then, I lost the set-cookie header of JSESSIONID cookie.
¿What i can do to get csrf cookie samesite=none? ¿Is there other solution to run csrf authentication in chrome with diferents domains?
Thanks in advance
I found the solution
CookieCsrfTokenRepository
usingsetCookieCustomizer
metohd with aConsumer<ResponseCookie.ResponseCookieBuilder>
filterChain(HttpSecurity http)
method: