Add SameSite cookie attribute support in XUI

maximthomas · maximthomas · commit 36e989499044 · 2026-03-20T12:38:47.000+03:00
diff --git a/ui/commons/src/main/js/org/forgerock/commons/ui/common/SiteConfigurator.js b/ui/commons/src/main/js/org/forgerock/commons/ui/common/SiteConfigurator.js
@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2011-2016 ForgeRock AS.
+ * Portions copyright 2020-2026 3A Systems LLC.
  */
 
 define([
@@ -75,6 +76,7 @@ define([
 
         conf.globalData.auth.cookieName = config.cookieName;
         conf.globalData.auth.cookieDomains = config.domains;
+        conf.globalData.auth.cookieSameSite = config.cookieSameSite;
     };
 
     obj.configurePage = function (route, params) {
diff --git a/ui/commons/src/main/js/org/forgerock/commons/ui/common/util/CookieHelper.js b/ui/commons/src/main/js/org/forgerock/commons/ui/common/util/CookieHelper.js
@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2011-2016 ForgeRock AS.
+ * Portions copyright 2020-2026 3A Systems LLC.
  */
 
 define([
@@ -31,22 +32,25 @@ define([
      * @param {String} [path] - cookie path.
      * @param {String|String[]} [domain] - cookie domain(s).
      * @param {Boolean} [secure] - is cookie secure.
+     * @param {String} [sameSite] - same site attribute.
      * @returns {String} created cookie.
      */
-    obj.createCookie = function (name, value, expirationDate, path, domain, secure) {
+    obj.createCookie = function (name, value, expirationDate, path, domain, secure, sameSite) {
         var expirationDatePart,
             nameValuePart,
             pathPart,
             domainPart,
-            securePart;
+            securePart,
+            sameSitePart;
 
         expirationDatePart = expirationDate ? ";expires=" + expirationDate.toGMTString() : "";
         nameValuePart = name + "=" + value;
         pathPart = path ? ";path=" + path : "";
         domainPart = domain ? ";domain=" + domain : "";
         securePart = secure ? ";secure" : "";
+        sameSitePart = sameSite ? ";SameSite=" + sameSite : "";
 
-        return nameValuePart + expirationDatePart + pathPart + domainPart + securePart;
+        return nameValuePart + expirationDatePart + pathPart + domainPart + securePart + sameSitePart;
     };
 
     /**
@@ -56,18 +60,19 @@ define([
      * @param {Date} [expirationDate] - cookie expiration date.
      * @param {String} [path] - cookie path.
      * @param {String|String[]} [domain] - cookie domain(s). Use empty array for creating host-only cookies.
+     * @param {String} [sameSite] - cookie same site attribute.
      * @param {Boolean} [secure] - is cookie secure.
      */
-    obj.setCookie = function (name, value, expirationDate, path, domains, secure) {
+    obj.setCookie = function (name, value, expirationDate, path, domains, secure, sameSite) {
         if (!_.isArray(domains)) {
             domains = [domains];
         }
 
         if (domains.length === 0) {
-            document.cookie = obj.createCookie(name, value, expirationDate, path, undefined, secure);
+            document.cookie = obj.createCookie(name, value, expirationDate, path, undefined, secure, sameSite);
         } else {
             _.each(domains, function(domain) {
-                document.cookie = obj.createCookie(name, value, expirationDate, path, domain, secure);
+                document.cookie = obj.createCookie(name, value, expirationDate, path, domain, secure, sameSite);
             });
         }
     };
