Play Framework 2.6/2.7 版将 PLAY_SESSION cookie 设置为 SameSite=None; 安全的
[英]Play Framework version 2.6/2.7 set PLAY_SESSION cookie to SameSite=None; Secure
问题描述
There's many posts confirming that play supports the SameSite=None; Secure
有很多帖子确认 play 支持SameSite=None; Secure SameSite=None; Secure requirement. SameSite=None; Secure要求。 However when configuring the session through config like this:但是,当通过这样的配置配置会话时:
...
play.http.session.httpOnly=true
play.http.session.sameSite="None"
play.http.session.secure=true
...
Chrome tells me that None is not getting set. Chrome 告诉我 None 没有设置。 See below:见下文:
To validate I'm on the right back-ported version(2.6.24) I implemented a filter to set other cookies I have control over and when I construct a cookie manually like this:为了验证我使用的是正确的向后移植版本 (2.6.24),我实现了一个过滤器来设置我可以控制的其他 cookie,以及当我像这样手动构建 cookie 时:
Cookie(
key,
value,
secure = true,
sameSite = Some(Cookie.SameSite.None)
)
Chrome will show that SameSite=None; Secure Chrome 会显示SameSite=None; Secure SameSite=None; Secure does get set on those cookies. SameSite=None; Secure确实在这些 cookie 上设置。 Which makes me think there's something with the config implementation that is not understanding None the play docs indicate you can only pass Strict or Lax as well but I was hoping that was just a documentation error.这让我觉得配置实现有一些不理解的东西None播放文档表明您也只能通过Strict或Lax ,但我希望这只是一个文档错误。
EDIT: Confirmed cbley answer 2.6.25 works see below screen shot编辑:确认 cbley 回答 2.6.25 作品见下面的屏幕截图
1 个解决方案
解决方案1
1 已采纳 2020-09-23 09:23:35
这在 Play 版本 2.6.25 和 2.7.5 中已修复。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.