From d84b78c189a3f0d1a9e7a43eed55917cdff413eb Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Fri, 24 May 2024 14:28:40 +0200
Subject: fix(core): set 'SameSite=None' to HTTP security cookie

Reason: otherwise, cookie will not be sent in iFrame
---
 .../eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java   | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'eaaf_core/src')

diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java
index a0a3f793..7fd2a910 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java
@@ -23,6 +23,7 @@ import lombok.extern.slf4j.Slf4j;
 public class CookieBasedRequestValidator implements IHttpRequestValidator {
 
   public static final String HTTP_COOKIE_SEC = "eaafSession";
+  public static final String COOKIE_SAME_SITE_ATTR = "SameSite";
 
   @Override
   public void setValidationInfos(@Nonnull final HttpServletResponse httpResponse,
@@ -72,8 +73,8 @@ public class CookieBasedRequestValidator implements IHttpRequestValidator {
         HTTP_COOKIE_SEC, authProcessIdentifier);
     cookie.setHttpOnly(true);
     cookie.setSecure(true);
-    URL url = new URL(pendingReq.getAuthUrlWithOutSlash());
-    cookie.setPath(url.getPath());
+    cookie.setPath(new URL(pendingReq.getAuthUrlWithOutSlash()).getPath());
+    cookie.setAttribute(COOKIE_SAME_SITE_ATTR, "None");
     return cookie;
 
   }
-- 
cgit v1.2.3