Spring Cloud Gateway 的 Cookie 路径

Question

Consider this microservices based application using Spring Boot 2.1.2 and Spring Cloud Greenwich.RELEASE :

• Each microservice uses the JSESSIONID cookie to identify its own dedicated Servlet session (ie no global unique session shared with Spring Session and Redis).
• External incoming requests are routed by Spring Cloud Gateway (and an Eureka registry used through Spring Cloud Netflix, but this should not be relevant).

When Spring Cloud Gateway returns a microservice response, it returns the "Set-Cookie" as-is, ie with the same "/" path.

When a second microservice is called by a client, the JSESSIONID from the first microservice is forwarded but ignored (since the corresponding session only exists in the first microservice). So the second microservice will return a new JSESSIONID. As a consequence the first session is lost.

In summary, each call to a different microservice will loose the previous session .

I expected some cookies path translation with Spring Cloud Gateway, but found no such feature in the docs. Not luck either with Google.

How can we fix this (a configuration parameter I could have missed, an API to write such cookies path translation, etc)?

Answer 1

Rather than changing the JSESSIONID cookies path in a GlobalFilter, I simply changed the name of the cookie in the application.yml :

# Each microservice uses its own session cookie name to prevent conflicts
server.servlet.session.cookie.name: JSESSIONID_${spring.application.name}

Answer 2

I faced the same problem and found the following solution using Spring Boot 2.5.4 and Spring Cloud Gateway 2020.0.3:

To be independent from the Cookie naming of the downstream services, I decided to rename all cookies on the way through the gateway. But to avoid a duplicate session cookie in downstream requests (from the gateway itself) I also renamed the gateway cookie.

Rename the Gateway Session Cookie

Unfortunately customizing the gateway cookie name using server.servlet.session.cookie.name does not work using current gateway versions.

Therefore register a custom WebSessionManager bean (name required as the auto configurations is conditional on the bean name!) changing the cookie name (use whatever you like except typical session cookie names like SESSION , JSESSION_ID , …):

static final String SESSION_COOKIE_NAME = "GATEWAY_SESSION";

@Bean(name = WebHttpHandlerBuilder.WEB_SESSION_MANAGER_BEAN_NAME)
WebSessionManager webSessionManager(WebFluxProperties webFluxProperties) {
    DefaultWebSessionManager webSessionManager = new DefaultWebSessionManager();
    CookieWebSessionIdResolver webSessionIdResolver = new CookieWebSessionIdResolver();
    webSessionIdResolver.setCookieName(SESSION_COOKIE_NAME);
    webSessionIdResolver.addCookieInitializer((cookie) -> cookie
            .sameSite(webFluxProperties.getSession().getCookie().getSameSite().attribute()));
    webSessionManager.setSessionIdResolver(webSessionIdResolver);
    return webSessionManager;
}

Rename Cookies created

Next step is to rename (all) cookies set by the downstream server. This is easy as there is a RewriteResponseHeader filter available. I decided to simply add a prefix to every cookie name (choose a unique one for each downstream):

filters:
  - "RewriteResponseHeader=Set-Cookie, ^([^=]+)=, DS1_$1="

Rename Cookies sent

Last step is to rename the cookies before sending to the downstream server. As every cookie of the downstream server has a unique prefix, just remove the prefix:

filters:
  - "RewriteRequestHeader=Cookie, ^DS1_([^=]+)=, $1="

Arg, currently there is no such filter available . But based on the existing RewriteResponseHeader filter this is easy (the Cloud Gateway will use it if you register it as a bean):

@Component
class RewriteRequestHeaderGatewayFilterFactory extends RewriteResponseHeaderGatewayFilterFactory
{
    @Override
    public GatewayFilter apply(Config config) {
        return new GatewayFilter() {
            @Override
            public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
                ServerHttpRequest request = exchange.getRequest().mutate()
                        .headers(httpHeaders -> rewriteHeaders(httpHeaders, config)).build();
                return chain.filter(exchange.mutate().request(request).build());
            }

            @Override
            public String toString() {
                return filterToStringCreator(RewriteRequestHeaderGatewayFilterFactory.this)
                        .append("name", config.getName()).append("regexp", config.getRegexp())
                        .append("replacement", config.getReplacement()).toString();
            }
        };
    }

    private void rewriteHeaders(HttpHeaders httpHeaders, Config config)
    {
        httpHeaders.put(config.getName(), rewriteHeaders(config, httpHeaders.get(config.getName())));
    }
}

Answer 3

Simply reset cookie name to GATEWAY_SESSION in gateway project to avoid session conflict:

    @Autowired(required = false)
    public void setCookieName(HttpHandler httpHandler) {
        if (httpHandler == null) return;
        if (!(httpHandler instanceof HttpWebHandlerAdapter)) return;
        DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
        CookieWebSessionIdResolver sessionIdResolver = new CookieWebSessionIdResolver();
        sessionIdResolver.setCookieName("GATEWAY_SESSION");
        sessionManager.setSessionIdResolver(sessionIdResolver);
        ((HttpWebHandlerAdapter) httpHandler).setSessionManager(sessionManager);
    }