Session cookie's SameSite configuration is ignored when enabling spring session

[gbaso]

Describe the bug
When enabling Spring Session via @EnableSpringHttpSession, configuration property server.servlet.session.cookie.same-site is ignored. This is a regression from Spring 6.

To Reproduce
Include org.springframework.session:spring-session-core in your dependencies and create a configuration class with @EnableSpringHttpSession.

Expected behavior
Session cookie created by SessionRepositoryFilter, via CookieHttpSessionIdResolver#cookieSerializer, should respect server.servlet.session.cookie.same-site.

Sample

https://github.com/gbaso/spring-session-cookie

[Khyojae]

Hi, I'm interested in fixing this. It will be my first contribution to Spring Session. I'll check it out!

[DamianFekete]

Describe the bug When enabling Spring Session via @EnableSpringHttpSession, configuration property server.servlet.session.cookie.same-site is ignored. This is a regression from Spring 6.

The issue is related only to the Spring Boot 3 to 4 migration, not with the Spring Framework.
With Spring Boot 4 you'd need to include:

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-session</artifactId>
        </dependency>

SessionAutoConfiguration will create the correct CookieSerializer bean:

https://github.com/spring-projects/spring-boot/blob/8506cfd3ef0f0577bf505fbf25de77e527d8db9b/module/spring-boot-session/src/main/java/org/springframework/boot/session/autoconfigure/SessionAutoConfiguration.java#L106