JCH
Java Community | Help. Code. Learn.β€’3d ago
Spectral_Shadow

Spring boot cookies won't obey application.properties settings

Hello, I have in application.properties the following : 
server.servlet.session.cookie.same-site=none
server.servlet.session.cookie.http-only=true
server.servlet.session.cookie.secure=true
server.servlet.session.cookie.same-site=none
server.servlet.session.cookie.http-only=true
server.servlet.session.cookie.secure=true
but then I deploy the app(on my RPI) the settings are not obeyed I check them here: https://developer.mozilla.org/en-US/observatory can you suggest what I'm missing ? I also tried: 
    @Bean
    TomcatContextCustomizer sessionCookieConfigForCors() {
        return context -> {
            final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor() {
                @Override
                public String generateHeader(Cookie cookie, HttpServletRequest request) {

                    // Needs to be secure
                    if (cookie.getName().startsWith("JSESSIONID")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    if (cookie.getName().startsWith("csrfToken")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    return super.generateHeader(cookie, request);
                }
            };
            context.setCookieProcessor(cookieProcessor);
        };
    }
    @Bean
    TomcatContextCustomizer sessionCookieConfigForCors() {
        return context -> {
            final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor() {
                @Override
                public String generateHeader(Cookie cookie, HttpServletRequest request) {

                    // Needs to be secure
                    if (cookie.getName().startsWith("JSESSIONID")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    if (cookie.getName().startsWith("csrfToken")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    return super.generateHeader(cookie, request);
                }
            };
            context.setCookieProcessor(cookieProcessor);
        };
    }
here some stuff is obeyed some not, the stuff that works is setting the domain.
MDN Web Docs
HTTP Header Security Test - HTTP Observatory | MDN
Test your site’s HTTP headers, including CSP and HSTS, to find security problems and get actionable recommendations to make your website more secure. Test other websites to see how you compare.
3 Replies
JavaBot
JavaBotβ€’3d ago
βŒ› This post has been reserved for your question.
Hey @Spectral_Shadow! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically marked as dormant after 300 minutes of inactivity.
TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.
Spectral_Shadow
Spectral_ShadowOPβ€’3d ago
I manage to do stuff, but I still can't figure out why httponly is not set
No description
JavaBot
JavaBotβ€’3d ago
πŸ’€ Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.

Did you find this page helpful?