Add secure flag to JSESSIONID cookie in spring automatically
When you use spring-session, e.g. to persist your session in reddis,this is indeed done automatically. The cookie is than created by org.springframework.session.web.http.CookieHttpSessionStrategy
which in CookieHttpSessionStrategy#createSessionCookie
checks if the request comes via HTTPS and sets secure accordingly:
sessionCookie.setSecure(request.isSecure());
If you do not use spring-session, you can configure secure cookies using a ServletContextInitializer
.Use a application property, to set it to true/false depending on a profile.
@Beanpublic ServletContextInitializer servletContextInitializer(@Value("${secure.cookie}") boolean secure) { return new ServletContextInitializer() { @Override public void onStartup(ServletContext servletContext) throws ServletException { servletContext.getSessionCookieConfig().setSecure(secure); } };}
application.properties (used in dev when profile 'prod' is not active):
secure.cookie=false
application-prod.properties (only used when profile 'prod' is active, overwrites value in application.properties):
secure.cookie=false
start your application on the prod server with :
--spring.profiles.active=prod
Sounds like some effort, if you have not worked with profiles so far, but you will most likely need a profile for prod environment anyway, so its really worth it.
If you are using Spring Boot, there is a simple solution for it. Just set the following property in your application.properties
:
server.servlet.session.cookie.secure=true
Source: Spring docs - Appendix A. Common application properties
If you have some environment with HTTPS and some without it, you will need to set it to false in profiles without HTTPS. Otherwise the Secure cookie is ignored.
in your application.yml just add
server: session: cookie: secure: true