Spring boot cookies won't obey application.properties settings

Hello,

I have in application.properties the following :

server.servlet.session.cookie.same-site=none
server.servlet.session.cookie.http-only=true
server.servlet.session.cookie.secure=true

server.servlet.session.cookie.same-site=none
server.servlet.session.cookie.http-only=true
server.servlet.session.cookie.secure=true

but then I deploy the app(on my RPI) the settings are not obeyed
I check them here: https://developer.mozilla.org/en-US/observatory

can you suggest what I'm missing ?

I also tried:

    @Bean
    TomcatContextCustomizer sessionCookieConfigForCors() {
        return context -> {
            final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor() {
                @Override
                public String generateHeader(Cookie cookie, HttpServletRequest request) {

                    // Needs to be secure
                    if (cookie.getName().startsWith("JSESSIONID")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    if (cookie.getName().startsWith("csrfToken")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    return super.generateHeader(cookie, request);
                }
            };
            context.setCookieProcessor(cookieProcessor);
        };
    }

    @Bean
    TomcatContextCustomizer sessionCookieConfigForCors() {
        return context -> {
            final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor() {
                @Override
                public String generateHeader(Cookie cookie, HttpServletRequest request) {

                    // Needs to be secure
                    if (cookie.getName().startsWith("JSESSIONID")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    if (cookie.getName().startsWith("csrfToken")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    return super.generateHeader(cookie, request);
                }
            };
            context.setCookieProcessor(cookieProcessor);
        };
    }

here some stuff is obeyed some not, the stuff that works is setting the domain.

MDN Web Docs

HTTP Header Security Test - HTTP Observatory | MDN

Test your site’s HTTP headers, including CSP and HSTS, to find security problems and get actionable recommendations to make your website more secure. Test other websites to see how you compare.

Spring boot cookies won't obey application.properties settings

Hello,

I have in application.properties the following :

server.servlet.session.cookie.same-site=none
server.servlet.session.cookie.http-only=true
server.servlet.session.cookie.secure=true

server.servlet.session.cookie.same-site=none
server.servlet.session.cookie.http-only=true
server.servlet.session.cookie.secure=true

but then I deploy the app(on my RPI) the settings are not obeyed
I check them here: https://developer.mozilla.org/en-US/observatory

can you suggest what I'm missing ?

I also tried:

    @Bean
    TomcatContextCustomizer sessionCookieConfigForCors() {
        return context -> {
            final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor() {
                @Override
                public String generateHeader(Cookie cookie, HttpServletRequest request) {

                    // Needs to be secure
                    if (cookie.getName().startsWith("JSESSIONID")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    if (cookie.getName().startsWith("csrfToken")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    return super.generateHeader(cookie, request);
                }
            };
            context.setCookieProcessor(cookieProcessor);
        };
    }

    @Bean
    TomcatContextCustomizer sessionCookieConfigForCors() {
        return context -> {
            final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor() {
                @Override
                public String generateHeader(Cookie cookie, HttpServletRequest request) {

                    // Needs to be secure
                    if (cookie.getName().startsWith("JSESSIONID")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    if (cookie.getName().startsWith("csrfToken")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    return super.generateHeader(cookie, request);
                }
            };
            context.setCookieProcessor(cookieProcessor);
        };
    }

here some stuff is obeyed some not, the stuff that works is setting the domain.

MDN Web Docs

HTTP Header Security Test - HTTP Observatory | MDN

Test your site’s HTTP headers, including CSP and HSTS, to find security problems and get actionable recommendations to make your website more secure. Test other websites to see how you compare.

Spring boot cookies won't obey application.properties settings

Spring boot cookies won't obey application.properties settings

Similar Threads

Similar Threads

Similar Threads