summaryrefslogtreecommitdiff
path: root/eaaf_core/src/main
diff options
context:
space:
mode:
authorThomas <>2024-05-24 14:28:40 +0200
committerThomas <>2024-05-24 14:28:40 +0200
commitd84b78c189a3f0d1a9e7a43eed55917cdff413eb (patch)
tree8b505b286c63ec7296a1196075475d96f8dade54 /eaaf_core/src/main
parent30f77f0ef285ccfba5dcec31c5b63d63d504ce6a (diff)
downloadEAAF-Components-d84b78c189a3f0d1a9e7a43eed55917cdff413eb.tar.gz
EAAF-Components-d84b78c189a3f0d1a9e7a43eed55917cdff413eb.tar.bz2
EAAF-Components-d84b78c189a3f0d1a9e7a43eed55917cdff413eb.zip
fix(core): set 'SameSite=None' to HTTP security cookie
Reason: otherwise, cookie will not be sent in iFrame
Diffstat (limited to 'eaaf_core/src/main')
-rw-r--r--eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java5
1 files changed, 3 insertions, 2 deletions
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java
index a0a3f793..7fd2a910 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java
@@ -23,6 +23,7 @@ import lombok.extern.slf4j.Slf4j;
public class CookieBasedRequestValidator implements IHttpRequestValidator {
public static final String HTTP_COOKIE_SEC = "eaafSession";
+ public static final String COOKIE_SAME_SITE_ATTR = "SameSite";
@Override
public void setValidationInfos(@Nonnull final HttpServletResponse httpResponse,
@@ -72,8 +73,8 @@ public class CookieBasedRequestValidator implements IHttpRequestValidator {
HTTP_COOKIE_SEC, authProcessIdentifier);
cookie.setHttpOnly(true);
cookie.setSecure(true);
- URL url = new URL(pendingReq.getAuthUrlWithOutSlash());
- cookie.setPath(url.getPath());
+ cookie.setPath(new URL(pendingReq.getAuthUrlWithOutSlash()).getPath());
+ cookie.setAttribute(COOKIE_SAME_SITE_ATTR, "None");
return cookie;
}