Add Cookie's SameSite directive property

See spring-projects#15047

Author: cleankod

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/session/SessionAutoConfiguration.java

@@ -103,6 +103,7 @@ public DefaultCookieSerializer cookieSerializer(ServerProperties serverPropertie
 			map.from(cookie::getHttpOnly).to(cookieSerializer::setUseHttpOnlyCookie);
 			map.from(cookie::getSecure).to(cookieSerializer::setUseSecureCookie);
 			map.from(cookie::getMaxAge).to((maxAge) -> cookieSerializer.setCookieMaxAge((int) maxAge.getSeconds()));
+			map.from(cookie::getSameSite).to((sameSite) -> cookieSerializer.setSameSite(sameSite.toString()));
 			if (ClassUtils.isPresent(REMEMBER_ME_SERVICES_CLASS, getClass().getClassLoader())) {
 				new RememberMeServicesCookieSerializerCustomizer().apply(cookieSerializer);
 			}

spring-boot-project/spring-boot-autoconfigure/src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -112,6 +112,10 @@
       "name": "server.servlet.session.cookie.secure",
       "description": "Whether to always mark the session cookie as secure."
     },
+    {
+      "name": "server.servlet.session.cookie.same-site",
+      "description": "The \"SameSite\" directive for the cookie."
+    },
     {
       "name": "server.servlet.session.persistent",
       "description": "Whether to persist session data between restarts.",

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/servlet/ServletWebServerFactoryCustomizerTests.java

@@ -101,6 +101,7 @@ public void customizeSessionProperties() throws Exception {
 		map.put("server.servlet.session.cookie.http-only", "true");
 		map.put("server.servlet.session.cookie.secure", "true");
 		map.put("server.servlet.session.cookie.max-age", "60");
+		map.put("server.servlet.session.cookie.same-site", "strict");
 		bindProperties(map);
 		ConfigurableServletWebServerFactory factory = mock(ConfigurableServletWebServerFactory.class);
 		this.customizer.customize(factory);
@@ -114,6 +115,7 @@ public void customizeSessionProperties() throws Exception {
 		assertThat(cookie.getComment()).isEqualTo("testcomment");
 		assertThat(cookie.getHttpOnly()).isTrue();
 		assertThat(cookie.getMaxAge()).isEqualTo(Duration.ofSeconds(60));
+		assertThat(cookie.getSameSite()).isEqualTo(Cookie.SameSite.STRICT);
 
 	}
 

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/servlet/server/Session.java

@@ -120,6 +120,8 @@ public static class Cookie {
 		@DurationUnit(ChronoUnit.SECONDS)
 		private Duration maxAge;
 
+		private SameSite sameSite;
+
 		/**
 		 * Return the session cookie name.
 		 * @return the session cookie name
@@ -205,6 +207,56 @@ public void setMaxAge(Duration maxAge) {
 			this.maxAge = maxAge;
 		}
 
+		/**
+		 * Return the SameSite directive for the cookie.
+		 * @return the SameSite directive for the cookie
+		 */
+		public SameSite getSameSite() {
+			return this.sameSite;
+		}
+
+		public void setSameSite(final SameSite sameSite) {
+			this.sameSite = sameSite;
+		}
+
+		/**
+		 * Available SameSite directives for the cookie.
+		 */
+		public enum SameSite {
+
+			/**
+			 * The cookie will only be sent if the site for the cookie matches the current
+			 * site URL. The cookie will not be sent along with requests initiated by
+			 * third party websites.
+			 */
+			STRICT("Strict"),
+
+			/**
+			 * The cookie will only be sent if the site for the cookie matches the current
+			 * site URL. The cookie will be sent along with the GET request initiated by
+			 * third party website.
+			 */
+			LAX("Lax"),
+
+			/**
+			 * The cookie will be sent cross-origin. This directive requires the Secure
+			 * attribute.
+			 */
+			NONE("None");
+
+			private String value;
+
+			SameSite(final String value) {
+				this.value = value;
+			}
+
+			@Override
+			public String toString() {
+				return this.value;
+			}
+
+		}
+
 	}
 
 	/**