From c5e80757f67d4b5c3849f3e25b4bac470384e9c2 Mon Sep 17 00:00:00 2001 From: Frederic Tregon Date: Thu, 1 Oct 2020 11:11:53 +0200 Subject: [PATCH] deleteMe cookie should use the defined "sameSite" With Chrome increasing security of cookies not defining any SameSite options, the deleteMe cookie may be blocked by Chrome under some circumstances. For example, when an app is used within a cross-site iframe, one must defined the option SameSite=None option. This works for the main cookie, but the deleteMe is currently blocked. This commit fixes this. --- .../main/java/org/apache/shiro/web/servlet/SimpleCookie.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java b/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java index a084e4f06b..fe28f3ddc1 100644 --- a/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java +++ b/web/src/main/java/org/apache/shiro/web/servlet/SimpleCookie.java @@ -398,7 +398,7 @@ public void removeFrom(HttpServletRequest request, HttpServletResponse response) int version = getVersion(); boolean secure = isSecure(); boolean httpOnly = false; //no need to add the extra text, plus the value 'deleteMe' is not sensitive at all - SameSiteOptions sameSite = null; + SameSiteOptions sameSite = getSameSite(); addCookieHeader(response, name, value, comment, domain, path, maxAge, version, secure, httpOnly, sameSite);