🏠 ❯ Spring Framework ❯ Customizing Spring Session Cookies

Customizing Spring Session Cookies

Raja Anbazhagan

In this post, We will take a look at Customizing Spring Session Cookies with an example.

Typical behaviour

In session-based authentications like Form-Login and CAS(Central Authentication System), the session is established via cookies. This is done by sending a Set-Cookie header after a successful login similar to the one shown below.

Set-Cookie: JSESSIONID=6A55DBAF1A3BF1D938179C0D2E1CAA07; Path=/; HttpOnlyCode language: JavaScript (javascript)

Once the browser reads this response header, it will add the value to its cookie storage with the name JSESSIONID. Along with the cookie value, there are few other settings are hinted at by the server. For example, the cookie is valid for all the URLs under the path ’/‘. The cookie is marked as HttpOnly so that javascript cannot read these using document.cookies.

Why should we Customizing Spring Session Cookies?

You may wonder why should you change the default cookie behaviour. Honestly, most of you don’t need to. However, When you run your applications behind load balancers, the same cookie name cannot be used across different applications. Also, the default behaviour is no timeout for these cookies.

Cookies set for subdomains cannot be read by the parent domain (But the otherwise is true). For example, you may be running your APIs at api.somedomain.com and the frontend is at somedomain.com. In this case, you need to explicitly set the cookie domain to somedomain.com. Similarly, cookies set for a specific path takes higher precedence. For instance, You may have configured your application to listen at the path /my-app. But this makes the cookie also be set to /my-app. To keep the cookie to root path ’/’ or any different path, you need to customize the cookie.

Add the following configuration to your application.properties to change the behaviour.

To change the spring session cookie name, use the following property.

server.servlet.session.cookie.name=CUSTOMSESSIONIDCode language: Properties (properties)

The following property will help you change the session cookie path.

server.servlet.session.cookie.path=/Code language: Properties (properties)

To make sure javascript in your frontend can access the cookies, set the server.servlet.session.cookie.http-only property to false. Do not use this unless you understand the risks of getting XSS attacks.

server.servlet.session.cookie.http-only=falseCode language: Properties (properties)

To change the cookie domain use server.servlet.session.cookie.domain property.

server.servlet.session.cookie.domain=somedomain.comCode language: Properties (properties)

To make sure only secure(HTTPS) requests use the cookie set the server.servlet.session.cookie.secure property to true. For added security, make sure you use this.

server.servlet.session.cookie.secure=trueCode language: Properties (properties)

Occasionally, you can change the spring session cookie expiration time using the server.servlet.session.cookie.max-age configuration. It takes a duration as parameter. For example, the following sets the expiration to 30 minutes. After this said duration, the browser would delete the cookie automatically. Note that this is different from server.servlet.session.timeout.

server.servlet.session.cookie.max-age=30MCode language: Properties (properties)

With all the above setup done, the cookie would look something like below.

Set-Cookie: CUSTOMSESSIONID=A24225F633D2AA68C7D722D77C53943B; Max-Age=1800; Expires=Wed, 30-Dec-2020 14:28:13 GMT; Domain=somedomain.com; Path=/; SecureCode language: JavaScript (javascript)

Provide a Cookie Serializer implementation

All the above properties are auto-configured to a simple cookie implementation. However, there are attributes like SameSite ,DomainPattern etc cannot be done using just the configuration entries. To achieve that, you need to provide a CookieSerializer bean.

  1. Bring in org.springframework.session:spring-session-core dependency.
  2. Annotate the main class with @EnableSpringHttpSession
  3. Supply a SessionRepository<MapSession> repository bean. I used MapSessionRepository for this example.
  4. Define a CookieSerializer bean as shown below.
    @Bean
    CookieSerializer cookieSerializer() {
        DefaultCookieSerializer defaultCookieSerializer = new DefaultCookieSerializer();
        defaultCookieSerializer.setCookieName("CUSTOMSESSIONID");
        defaultCookieSerializer.setUseHttpOnlyCookie(false);
        defaultCookieSerializer.setCookiePath("/");
        defaultCookieSerializer.setDomainName("somedomain.com");
        defaultCookieSerializer.setUseSecureCookie(true);
        defaultCookieSerializer.setSameSite("none");
        return defaultCookieSerializer;

    }Code language: Java (java)

Even though the above is possible, the ones from configuration properties are enough to handle real-world cases. Also, The ideal way to do the java-config is along with a dedicated session-store like Hazelcast or Redis. As these starters would bring in spring-session-core as a transitive dependency.

The code is available in the github link below. Start the app and try running the following curl and you will see the changes.

$ curl -i -u "user1:user1" http://localhost:8080/my-app/userCode language: Bash (bash)

You can find the samples for this post at this github repository.

You may also find the following articles related to this write-up.

Similar Posts

Password Encoder in Spring Security

Spring Framework

In this post, We will take a look at password encoders in detail with an example. Traditionally, storing passwords were hard. The application will have to encode user passwords and store them in a database. But with password encoders provided by spring security, all of these can be done automatically. Password Encoders are beans that…

Using JdbcTemplate with Spring Boot

Spring Framework

Introduction Spring Boot provides support to typical JDBC operations via jdbcTemplate. With JDBC templates, you can perform complex database operations which are not possible through JPA. Starter Dependencies JDBC templates feature is part of the Spring JDBC module. This means that either the JPA starter or the JDBC starter will bring this support. As we…

Drools Rule Engine for Spring Boot – Tutorial

Spring Framework

Lets learn how to integrate Drools Rule Engine with Spring Boot application for business rules management with an Example. Drools is a Business Rule Engine that is based on Java Rules API. It lets you create complex applications where the business logic changes a lot post development. Introduction To Drools For example, you may run…

Spring IOC Container

Spring Framework

Traditionally, the flow of business logic depends on the statically defined objects and their dependents. This approach creates tightly coupled applications that are hard to extend or modify. But with IOC containers, the business logic depends on the object graph built by an IOC container. So what is an IOC Container? Inversion Of Control(IoC) is…

Handling Lists in Thymeleaf view

Spring Framework

In this article, We will see how to handle Lists in thymeleaf templates with an example using th:each attribute. Loop through a Lists Let’s create a list of Objects first and then supply it to the Model and View. For this reason, We created a UserInfo object. The list we are going to use in our thymeleaf model is…

Spring Boot Custom Health Indicators

Spring Framework

In this post, We will learn about writing Custom Health Check indicators for Spring Boot Applications. Spring Boot out-of-the-box health checks are good. But in the real world, it is often the case that one application relies on another application’s availability for performing operations. In this case, it would be helpful to add a health…

Leave a Reply

Your email address will not be published. Required fields are marked *