fix(core): set 'SameSite=None' to HTTP security cookie

Reason: otherwise, cookie will not be sent in iFrame

1 files changed, 3 insertions, 2 deletions

diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java
index a0a3f793..7fd2a910 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java
@@ -23,6 +23,7 @@ import lombok.extern.slf4j.Slf4j;
 public class CookieBasedRequestValidator implements IHttpRequestValidator {
 
   public static final String HTTP_COOKIE_SEC = "eaafSession";
+  public static final String COOKIE_SAME_SITE_ATTR = "SameSite";
 
   @Override
   public void setValidationInfos(@Nonnull final HttpServletResponse httpResponse,
@@ -72,8 +73,8 @@ public class CookieBasedRequestValidator implements IHttpRequestValidator {
         HTTP_COOKIE_SEC, authProcessIdentifier);
     cookie.setHttpOnly(true);
     cookie.setSecure(true);
-    URL url = new URL(pendingReq.getAuthUrlWithOutSlash());
-    cookie.setPath(url.getPath());
+    cookie.setPath(new URL(pendingReq.getAuthUrlWithOutSlash()).getPath());
+    cookie.setAttribute(COOKIE_SAME_SITE_ATTR, "None");
     return cookie;
 
   }