Merge pull request #1225 from Zimbra/bugfix/ZBUG-2397-1

ZBUG-2397: Added cookie SameSite=Strict and zmlocalconfig attribute
Zimbra · Feb 14, 2022 · 99d04b9 · 99d04b9
2 parents 2d40a75 + e5ac957
commit 99d04b9
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/common/src/java/com/zimbra/common/localconfig/LC.java b/common/src/java/com/zimbra/common/localconfig/LC.java
@@ -863,6 +863,7 @@ public final class LC {
     public static final KnownKey zimbra_deregistered_authtoken_queue_size = KnownKey.newKey(5000);
     public static final KnownKey zimbra_jwt_cookie_size_limit = KnownKey.newKey(4096);
     public static final KnownKey zimbra_authtoken_cookie_domain = KnownKey.newKey("");
+    public static final KnownKey zimbra_same_site_cookie = KnownKey.newKey("Strict");
     public static final KnownKey zimbra_zmjava_options = KnownKey.newKey("-Xmx256m" +
             " -Dhttps.protocols=TLSv1.2,TLSv1.3" +
             " -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3");

diff --git a/common/src/java/com/zimbra/common/util/ZimbraCookie.java b/common/src/java/com/zimbra/common/util/ZimbraCookie.java
@@ -70,7 +70,16 @@ private static void addCookie(HttpServletResponse response, String name, String
         }
         ZimbraCookie.setAuthTokenCookieDomainPath(cookie, ZimbraCookie.PATH_ROOT);
 
-        cookie.setSecure(secure);
+        String cookieVal = LC.zimbra_same_site_cookie.value();
+        if (!StringUtil.isNullOrEmpty(cookieVal)) {
+            String pathStr = cookie.getPath();
+            // setting cookie value like "SameSite=Strict;", value can be Strict, Lax, None
+            pathStr = new StringBuilder(pathStr).append(";SameSite=").append(cookieVal).append(";").toString();
+            cookie.setPath(pathStr);
+            cookie.setSecure(true);
+        } else {
+            cookie.setSecure(secure);
+        }
 
         if (httpOnly) {
             cookie.setHttpOnly(httpOnly);