From 04af3600dfcd166e59afc1d67fafdcebce4c10c2 Mon Sep 17 00:00:00 2001 From: yongsik Date: Wed, 22 Oct 2025 16:56:10 +0900 Subject: [PATCH] =?UTF-8?q?(fix)=20cookie=EC=84=A4=EC=A0=95=20sameSite=20N?= =?UTF-8?q?one->Lax=EB=A1=9C=20=EB=B3=80=EA=B2=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../member/service/MemberCookieService.java | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/src/main/java/com/cooperation/project/cooperationcenter/domain/member/service/MemberCookieService.java b/src/main/java/com/cooperation/project/cooperationcenter/domain/member/service/MemberCookieService.java index d592c9c..7eb946f 100644 --- a/src/main/java/com/cooperation/project/cooperationcenter/domain/member/service/MemberCookieService.java +++ b/src/main/java/com/cooperation/project/cooperationcenter/domain/member/service/MemberCookieService.java @@ -22,15 +22,20 @@ public void addTokenCookies(HttpServletResponse response, TokenResponse tokenRes addRefreshCookies(response, tokenResponse); } + + // .secure(true) // HTTPS 전용 + // .sameSite("None") // CSRF 방어 + +// .sameSite("Lax") +// .secure(false) + private void addAccessTokenCookies(HttpServletResponse response, TokenResponse tokenResponse) { ResponseCookie accessCookie = ResponseCookie.from(JWT_ACCESS_TOKEN_COOKIE_NAME, tokenResponse.accessToken().token()) .httpOnly(true) // JS 접근 차단 -// .secure(true) // HTTPS 전용 .secure(false) .path("/") // 전체 경로에 대해 전송 .maxAge(ACCESS_TOKEN_EXPIRE_TIME) // 만료 시간 - .sameSite("None") // CSRF 방어 - .sameSite("None") + .sameSite("Lax") // CSRF 방어 .build(); response.addHeader(HttpHeaders.SET_COOKIE, accessCookie.toString()); } @@ -40,7 +45,7 @@ private void addAccessTokenCookies(HttpServletResponse response, AccessToken acc .secure(true) // HTTPS 전용 .path("/") // 전체 경로에 대해 전송 .maxAge(ACCESS_TOKEN_EXPIRE_TIME) // 만료 시간 - .sameSite("None") // CSRF 방어 + .sameSite("Lax") // CSRF 방어 .build(); response.addHeader(HttpHeaders.SET_COOKIE, accessCookie.toString()); } @@ -52,7 +57,7 @@ public void addAccessTokenCookies(HttpServletResponse response, String accessTok .secure(false) .path("/") // 전체 경로에 대해 전송 .maxAge(ACCESS_TOKEN_EXPIRE_TIME) // 만료 시간 - .sameSite("None") // CSRF 방어 + .sameSite("Lax") // CSRF 방어 .build(); response.addHeader(HttpHeaders.SET_COOKIE, accessCookie.toString()); } @@ -64,7 +69,7 @@ private void addRefreshCookies(HttpServletResponse response, TokenResponse token .secure(false) .path("/") // 리프레시 전용 엔드포인트에만 전송 .maxAge(REFRESH_TOKEN_EXPIRE_TIME) - .sameSite("None") + .sameSite("Lax") .build(); response.addHeader(HttpHeaders.SET_COOKIE, refreshCookie.toString()); } @@ -80,7 +85,7 @@ private void expiredCookie(HttpServletResponse response, TokenResponse tokenResp .secure(false) .path("/") // 로그인 시 지정한 path와 동일하게 .maxAge(0) // 즉시 만료 - .sameSite("None") + .sameSite("Lax") .build(); // 2) REFRESH_TOKEN 쿠키 삭제 @@ -90,7 +95,7 @@ private void expiredCookie(HttpServletResponse response, TokenResponse tokenResp .secure(false) .path("/") // 로그인 시 지정한 path와 동일하게 .maxAge(0) - .sameSite("None") + .sameSite("Lax") .build(); response.addHeader(HttpHeaders.SET_COOKIE, deleteAccess.toString());