From 0bc79b1507d125bf8d54036728c50000620c2948 Mon Sep 17 00:00:00 2001
From: Khyojae <khjae201@gmail.com>
Date: Fri, 23 Jan 2026 15:59:17 +0900
Subject: [PATCH] Fix #3622: Ensure SameSite is Lax when null is provided to
 DefaultCookieSerializer

Signed-off-by: Khyojae <khjae201@gmail.com>
---
 .../web/http/DefaultCookieSerializer.java       |  5 +++++
 .../web/http/DefaultCookieSerializerTests.java  | 17 +++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/spring-session-core/src/main/java/org/springframework/session/web/http/DefaultCookieSerializer.java b/spring-session-core/src/main/java/org/springframework/session/web/http/DefaultCookieSerializer.java
index 7b350ac38..b0e93740f 100644
--- a/spring-session-core/src/main/java/org/springframework/session/web/http/DefaultCookieSerializer.java
+++ b/spring-session-core/src/main/java/org/springframework/session/web/http/DefaultCookieSerializer.java
@@ -40,6 +40,7 @@
  * @author Rob Winch
  * @author Vedran Pavic
  * @author Eddú Meléndez
+ * @author Khyojae
  * @since 1.1
  */
 public class DefaultCookieSerializer implements CookieSerializer {
@@ -410,6 +411,10 @@ public void setRememberMeRequestAttribute(String rememberMeRequestAttribute) {
 	 * @since 2.1.0
 	 */
 	public void setSameSite(String sameSite) {
+		if (sameSite == null) {
+			this.sameSite = "Lax";
+			return;
+		}
 		this.sameSite = sameSite;
 	}
 
diff --git a/spring-session-core/src/test/java/org/springframework/session/web/http/DefaultCookieSerializerTests.java b/spring-session-core/src/test/java/org/springframework/session/web/http/DefaultCookieSerializerTests.java
index 358b884c1..834ce954f 100644
--- a/spring-session-core/src/test/java/org/springframework/session/web/http/DefaultCookieSerializerTests.java
+++ b/spring-session-core/src/test/java/org/springframework/session/web/http/DefaultCookieSerializerTests.java
@@ -45,6 +45,7 @@
  * @author Rob Winch
  * @author Vedran Pavic
  * @author Eddú Meléndez
+ * @author Khyojae
  */
 class DefaultCookieSerializerTests {
 
@@ -460,6 +461,22 @@ void writeCookieSetSameSiteNull() {
 		assertThat(getCookie().getSameSite()).isNull();
 	}
 
+
+
+
+	@Test
+	void writeCookieShouldUseDefaultSameSiteWhenNotSet() {
+		DefaultCookieSerializer serializer = new DefaultCookieSerializer();
+		serializer.setSameSite(null);
+
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		serializer.writeCookieValue(new CookieValue(request, response, "test-id"));
+
+		assertThat(response.getHeader("Set-Cookie")).contains("SameSite=Lax");
+	}
+
+
 	void setCookieName(String cookieName) {
 		this.cookieName = cookieName;
 		this.serializer.setCookieName(cookieName);