Recent changes to SameSite cookie attribute in Chrome ( > 80)

[Sandeep More]

Hello,

Recently we ran into an issue where our SSO requests started failing on new Chrome browsers. Turns out this was because of the way Chrome is handling cookies with no SameSite attribute. 

Prior to Chrome 80 if SameSite attribute was not specified it was treated as SameSite=none but now it will be treated as SameSite=Lax, which can introduce breakage in SSO flows.   

I think Pac4J cookies needs to explicitly have SameSite=none attribute when cookies are set, this will prevent any future breakage due to Pac4J library. 

There is also an issue of adding this parameter to Java Cookie class, since this is so new javax.servlet.http.Cookie class does not support SameSite property 

and there is no way to add custom attributes to Cookie. The only way I could think of doing it is setting a Set-Cookie header. 

This is the Pac4J code that needs to be updated https://github.com/pac4j/pac4j/blob/master/pac4j-core/src/main/java/org/pac4j/core/context/JEEContext.java#L163

Thanks,

 Sandeep