Configure Session Cookie using SessionCookieConfig

[rwinch]

The configuration for the Session Cookie (i.e. SessionCookieConfig) should impact Spring Session's settings.

Update:

There are some limitations in our capability of mapping SessionCookieConfig's attributes (copied from the description on PR #713):

• secure: DefaultCookieSerializer#useSecureCookie defaults to null and relies on ServletRequest#isSecure which means mapping a value from SessionCookieConfig would override our default (since secure is a primitive boolean over there and typically defaults to false)
• httpOnly: DefaultCookieSerializer#useHttpOnlyCookie defaults to true in Servlet 3.0+ environments which means our default would be overridden in httpOnly typically defaults to false

[a-marcel]

Hello,

is there someting new about this topic ?

How can i set the CookieDomain in a SpringBootProject with Spring Session 1.0.0.RELEASE ?

Thanks
Marcel

[rwinch]

At the moment you need to create a custom implementation of HttpSessionManager. You can base the implementation off of CookieHttpSessionStrategy. Then you would expose your CookieHttpSessionStrategy as a Bean:

@Bean
public ExtendedCookieHttpSessionStrategy httpSessionStrategy() {
    return new ExtendedCookieHttpSessionStrategy();
}

This feature will be added in the 1.1 release which is not yet scheduled. At that time, you will be able to remove your custom implementation and use the existing class.

[a-marcel]

Ok, thanks for the Information. I do it like you sayed. But i've one more question. Why is this class final ? I don't know exactly, but maybe i wanna override some function without copy the hole class ...

Thanks for you help.

[rwinch]

@marcelalburg It is marked as final to ensure we can more easily evolve the class and to encourage users (and the framework) to favor composition over inheritance.

[a-marcel]

Thanks, for the info and for the tipp.

Marcel

[rwinch]

In the latest snapshots you can now create a DefaultCookieSerializer and expose it as a Bean. See #299

Since there is a way to do this now, I'm going to push this back as a lower priority.