Spectral_Shadow
Spectral_Shadow
PostsComments
JCHJava Community | Help. Code. Learn.
Created by Spectral_Shadow on 1/26/2025 in #java-help
Spring boot cookies won't obey application.properties settings
Hello, I have in application.properties the following : 
server.servlet.session.cookie.same-site=none
server.servlet.session.cookie.http-only=true
server.servlet.session.cookie.secure=true
server.servlet.session.cookie.same-site=none
server.servlet.session.cookie.http-only=true
server.servlet.session.cookie.secure=true
but then I deploy the app(on my RPI) the settings are not obeyed I check them here: https://developer.mozilla.org/en-US/observatory can you suggest what I'm missing ? I also tried: 
    @Bean
    TomcatContextCustomizer sessionCookieConfigForCors() {
        return context -> {
            final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor() {
                @Override
                public String generateHeader(Cookie cookie, HttpServletRequest request) {

                    // Needs to be secure
                    if (cookie.getName().startsWith("JSESSIONID")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    if (cookie.getName().startsWith("csrfToken")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    return super.generateHeader(cookie, request);
                }
            };
            context.setCookieProcessor(cookieProcessor);
        };
    }
    @Bean
    TomcatContextCustomizer sessionCookieConfigForCors() {
        return context -> {
            final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor() {
                @Override
                public String generateHeader(Cookie cookie, HttpServletRequest request) {

                    // Needs to be secure
                    if (cookie.getName().startsWith("JSESSIONID")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    if (cookie.getName().startsWith("csrfToken")) {
                        cookie.setSecure(true);
                        cookie.setPath("/");
                        cookie.setDomain("mydomain.eu");
                        cookie.setAttribute("SameSite", SameSiteCookies.NONE.getValue());
                        cookie.setHttpOnly(true);
                        // cookie.setAttribute("Partitioned", "true");
                    }
                    return super.generateHeader(cookie, request);
                }
            };
            context.setCookieProcessor(cookieProcessor);
        };
    }
here some stuff is obeyed some not, the stuff that works is setting the domain.
5 replies