org.forgerock.http.protocol

Enum Cookie.SameSite

java.lang.Object

java.lang.Enum<Cookie.SameSite>

org.forgerock.http.protocol.Cookie.SameSite

All Implemented Interfaces:

Serializable, Comparable<Cookie.SameSite>

Enclosing class:

Cookie

public static enum Cookie.SameSite
extends Enum<Cookie.SameSite>

Indicates the SameSite value of the cookie. This can be used to prevent cross-site request forgery (CSRF) attacks.

Enum Constant Summary

Enum Constants

Enum Constant and Description
LAX In "lax" mode the cookie will be sent on "safe" top-level navigation methods (GET, HEAD, TRACE or OPTIONS).
NONE Some browsers are moving to marking all cookies as SameSite=lax by default and allowing SameSite=none as an option to turn that off.
STRICT In "strict" mode the cookie will not be sent unless the request originates from the same origin.

Method Summary

Modifier and Type	Method and Description
static Cookie.SameSite	parse(String value) Parses the given SameSite value.
String	toString()
static Cookie.SameSite	valueOf(String name) Returns the enum constant of this type with the specified name.
static Cookie.SameSite[]	values() Returns an array containing the constants of this enum type, in the order they are declared.

Methods inherited from class java.lang.Enum

clone, compareTo, equals, finalize, getDeclaringClass, hashCode, name, ordinal, valueOf

Methods inherited from class java.lang.Object

getClass, notify, notifyAll, wait, wait, wait

Enum Constant Detail

STRICT

public static final Cookie.SameSite STRICT

In "strict" mode the cookie will not be sent unless the request originates from the same origin. This will even block the cookie being sent when following a link from an external origin.

LAX

public static final Cookie.SameSite LAX

In "lax" mode the cookie will be sent on "safe" top-level navigation methods (GET, HEAD, TRACE or OPTIONS). This allows the cookie to be sent when following a link, but provides weaker protection as a CSRF may still be carried out by opening a new window/tab. This is the recommended default setting, in combination with other CSRF defenses such as requiring custom headers on a request.

NONE

public static final Cookie.SameSite NONE

Some browsers are moving to marking all cookies as SameSite=lax by default and allowing SameSite=none as an option to turn that off. This is only supported when cookies are also marked as secure so setting this option will also mark the cookie as secure. Note: older versions of Safari (prior to version 13) will interpret SameSite=none as if it was SameSite=strict, so browser sniffing may be required when setting this option.

Method Detail

values

public static Cookie.SameSite[] values()

Returns an array containing the constants of this enum type, in the order they are declared. This method may be used to iterate over the constants as follows:

for (Cookie.SameSite c : Cookie.SameSite.values())
    System.out.println(c);

Returns:

an array containing the constants of this enum type, in the order they are declared

valueOf

public static Cookie.SameSite valueOf(String name)

Returns the enum constant of this type with the specified name. The string must match exactly an identifier used to declare an enum constant in this type. (Extraneous whitespace characters are not permitted.)

Parameters:

name - the name of the enum constant to be returned.

Returns:

the enum constant with the specified name

Throws:

IllegalArgumentException - if this enum type has no constant with the specified name

NullPointerException - if the argument is null

parse

public static Cookie.SameSite parse(String value)

Parses the given SameSite value.

Parameters:

value - the value to parse.

Returns:

the matching SameSite value, or null if the value does not match any known setting.

toString

public String toString()

Overrides:

toString in class Enum<Cookie.SameSite>