Session cookies are not being sent to the Spring Boot app after authenticating via Okta

Question

When a user browses my Spring Boot app, they are redirected to log in via Okta and after logging in, they are redirected to the default page instead of the original page they requested.

I believe the reason this is happening is due to the session cookies not being sent over to the server resulting in the server being unable to find its previous saved request. The session cookie has SameSite attribute defaulted to Lax and since the SSO URL called from Okta to my Spring Boot app is a POST method, the session cookies won't be sent. To resolve this, I need to configure Spring to set the SameSite attribute to None for the session cookie and my Spring Boot app must be https. Does this sound right? Are there alternate solutions?

question from:https://stackoverflow.com/questions/65862952/session-cookies-are-not-being-sent-to-the-spring-boot-app-after-authenticating-v

Answer 1

The session cookie has to have the SameSite attribute set to None and Secure attribute. By default, the SameSite attribute is not set by Spring and is defaulted to Lax by the browser. This will cause the session cookie to not be sent to the server by the browser when using SSO and SAML.