Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CookieServerCsrfTokenRepository.withHttpOnlyFalse() ineffective if setCookieCustomizer() is used #16820

Closed
thomas-seag opened this issue Mar 25, 2025 · 0 comments · Fixed by #16822
Closed

CookieServerCsrfTokenRepository.withHttpOnlyFalse() ineffective if setCookieCustomizer() is used #16820

thomas-seag opened this issue Mar 25, 2025 · 0 comments · Fixed by #16822
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug

Comments

@thomas-seag
Copy link

Describe the bug
Setting a cookie customizer on a CookieServerCsrfTokenRepository.withHttpOnlyFalse() resets the "http only" behavior.

To Reproduce
Create a CookieServerCsrfTokenRepository.withHttpOnlyFalse(), then set a CookieCustomizer on it. See unit test below.

Expected behavior
The cookie is served with isHttp = false.

Sample

The following unit test fails but should succeed:

import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertNotNull;

import org.junit.jupiter.api.Test;
import org.springframework.http.ResponseCookie;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
import org.springframework.security.web.server.csrf.CsrfToken;

class CookieTest {

	@Test
	void cookieIsHttpFalse() {
		CookieServerCsrfTokenRepository repository = CookieServerCsrfTokenRepository.withHttpOnlyFalse();
		repository.setCookieCustomizer(cookieBuilder -> {
			cookieBuilder.path("/");
		});

		MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest.get("/dummy");
		MockServerWebExchange exchange = MockServerWebExchange.from(request);
		CsrfToken csrfToken = repository.generateToken(exchange).block();
		repository.saveToken(exchange, csrfToken).block();
		ResponseCookie cookie = exchange.getResponse().getCookies().getFirst("XSRF-TOKEN");
		assertNotNull(cookie);
		assertFalse(cookie.isHttpOnly());
	}

}
@thomas-seag thomas-seag added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Mar 25, 2025
kse-music added a commit to kse-music/spring-security that referenced this issue Mar 26, 2025
@kse-music
WithHttpOnlyCookie defaults to false
edff9ae 
Closes spring-projectsgh-16820

Signed-off-by: DingHao <[email protected]>
@kse-music kse-music mentioned this issue Mar 26, 2025
Merged
kse-music added a commit to kse-music/spring-security that referenced this issue Mar 26, 2025
@kse-music
WithHttpOnlyCookie defaults to false
528532f 
Closes spring-projectsgh-16820

Signed-off-by: DingHao <[email protected]>
kse-music added a commit to kse-music/spring-security that referenced this issue Apr 1, 2025
@kse-music
WithHttpOnlyCookie defaults to false
8301a2b 
Closes spring-projectsgh-16820

Signed-off-by: DingHao <[email protected]>
@jzheaux jzheaux mentioned this issue Apr 1, 2025
Closed
@jzheaux jzheaux closed this as completed in 857ef6f Apr 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

setCookieCustomizer should not reset withHttpOnlyFalse httpOnly setting kse-music/spring-security
1 participant
@thomas-seag