I'm using struts2 framework running on tomcat 7.0.77. In the common filter, I've added SameSite cookie with below code:
Cookie cookie = new Cookie("SameSite", "strict");
cookie.setMaxAge(-1);
res.addCookie(cookie);
I'm using latest version of Chrome (Version 60.0.3112.90 (Official Build) (64-bit)) to test if it can avoid CSRF.
Assume the server to be protected is 192.168.1.100. And the other server is running on 192.168.1.101, with a very simple test.html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=
, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Document</title>
</head>
<body>
<a href="https://192.168.1.100/home.html">Click me!</a>
</body>
</html>
So, I open a Chrome tab and logged in 192.168.1.100.
Then I open another Chrome tab to access https://192.168.1.101/test.html and click "Click me!".
What I'm expecting is that when the I click this "Click me!", the link redirects me to https://192.168.1.100/home.html but the cookies shouldn't be passed. So I need to login again.
but the actual fact is I'm still in logged in state and all the cookies are passed which I can see from Chrome Developer tools.
Really confused where I'm wrong, appreciate your help!
Finally spent a whole day to figure it out. We need to understand SameSite as an option instead of a key.
So we need to set a cookie like this:
Cookie cookie = new Cookie("SomeKey", "SomeValue; SameSite=strict");
cookie.setMaxAge(-1);
res.addCookie(cookie);