stackoom
  简体   繁体   中英

Spring Session 1.0.0.M1 cookie domain attribute

 原文  2014-12-04 10:20:11       spring/ spring-security/ session-cookies/ spring-session

Question

I have integrated Spring Session with Redis into my SpringBoot app. It seems that all works well except the cookie domain attribute. I just found how to set the cookie session domain attribute for in tomcat ie method "setSessionCookieDomain", but that does not work. for example. I had configured domain attribute in the context of the tomcat for example the domain attribute of the cookie. 

@Bean 
    public TomcatContextCustomizer tomcatContextCustomizer() {
        System.out.println("TOMCATCONTEXTCUSTOMIZER INITILIZED");
        return new TomcatContextCustomizer() {

            @Override
            public void customize(Context context) {
                context.addServletContainerInitializer(new WsSci(), null);
                context.setUseHttpOnly(true);
                context.setPath("/");
                context.setSessionCookiePath("/");
                context.setSessionCookieDomain(".127.0.0.5");
//              context.setSessionCookieDomain(".localhost");
//              context.setSessionCookieDomain(".test.blabla.com");

            }           

        };
    }

When i open the https trace in wireshark and click follow ssl stream, here is what i get. All other attributes are listed except the domain. So my question is how do I set the domain attribute correctly in Spring Session 1.0.0.M1, Does spring session somehow override the tomcat context? 

GET / HTTP/1.1
Host: 127.0.0.5:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Lang: keep-alive

: keep-alive

: keep-alive

: keep-alive

: keep-alive

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
X-Content-Security-Policy: script-src 'self'; object-src 'self'
Content-Security-Policy: script-src 'self'; object-src 'self'
X-WebKit-CSP: default-src 'self'
X-Application-Context: application:Production
Set-Cookie: SESSION=5d0a738f-f011-4e43-a1ee-d691b8eba94c; Path=/; Secure; HttpOnly
Content-Type: text/html;charset=UTF-8
Conten10:01:27 GMT

10:01:27 GMT

10:01:27 GMT

10:01:27 GMT

10:01:27 GMT

<!DOCTYPE html>

1 answers

solution1
 2 ACCPTED  2014-12-23 15:47:11

Thanks for bringing this up. Spring Session should allow configuring the domain via the SessionCookieConfig but doesn't. I have created gh-87 to address this.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Should a New Project Use Spring DM 2.0.0.M1 or Gemni Blueprint 1.0.0.M1? set session cookie attribute “Domain” on java-spring-tomcat Configure Cookie Domain in spring session Spring 4 Session Cookie change field Java Spring 4 cookie secure attribute Spring MVC Session Attribute Set Spring RememberMe Cookie Domain after Authentication Spring HttpSession with Redis not saving SESSION cookie value Spring form commandName = session attribute Custom cookie name when using Spring Session
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM