Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CookieCsrfTokenRepository resets httpOnly to true in case a cookieCustomizer is set #13659

Closed
stipx opened this issue Aug 17, 2023 · 1 comment
Closed

CookieCsrfTokenRepository resets httpOnly to true in case a cookieCustomizer is set #13659

stipx opened this issue Aug 17, 2023 · 1 comment
Assignees
@jzheaux
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Milestone
6.1.4

Comments

@stipx
Copy link

stipx commented Aug 17, 2023

spring-security/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java

Lines 179 to 183 in 8d58113

public static CookieCsrfTokenRepository withHttpOnlyFalse() {
CookieCsrfTokenRepository result = new CookieCsrfTokenRepository();
result.setCookieCustomizer((cookie) -> cookie.httpOnly(false));
return result;
}

The withHttpOnlyFalse() factory method does lead to unexpected behavior if a customizer is set as the default httpOnly=true is set again and not reset in

spring-security/web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java

Line 98 in 8d58113

this.cookieCustomizer.accept(cookieBuilder);

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Aug 17, 2023
@jzheaux jzheaux added this to the 6.1.4 milestone Aug 28, 2023
@jzheaux jzheaux self-assigned this Aug 28, 2023
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 28, 2023
@jzheaux jzheaux mentioned this issue Aug 28, 2023
Closed
@jzheaux
Copy link
Contributor

jzheaux commented Aug 28, 2023

Thanks, good catch @stipx. This will go into the next maintenance release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
6.1.4
Development

No branches or pull requests
3 participants
@jzheaux @stipx @spring-projects-issues