Spring boot configure custom jsessionid for embedded server

Question

I want to configure my servlet context, such as setting a custom jsessionId key (see Changing cookie JSESSIONID name)

I believe I can use the SpringBootServletInitializer when running a WAR file, manipulating the servletContext in onStartup(). However, when I run on an embedded application server, using new SpringApplicationBuilder().run(), I don't know the best place to manipulate the servlet context.

I'm quite suspicious of your motives. If you change the cookie name you won't be able to take advantage of common load-balancing algorithms for instance. I can't really understand why it's necessary. — Dave Syer, Sep 18 '14 at 17:14
@DaveSyer I'm curious, How come it will affect LB algorithm? We are planning to change the cookie name to hide the tech stack details from attackers. — Govinda Sakhare, Aug 03 '19 at 12:23
Sticky session load balancing usually relies on a cookie name, for instance. — Dave Syer, Aug 14 '19 at 17:28

JamieB · Accepted Answer · 2018-10-18T14:16:21.240

54

As of Spring Boot 1.3 you can simply set a configuration property;

Spring Boot 1.3, 1.4, 1.5

server.session.cookie.name = MYSESSIONID

Spring Boot 2.x

server.servlet.session.cookie.name = MYSESSIONID

A lot simpler than writing a configuration class.

See https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html for more session related properties.

edited Oct 18 '18 at 14:16

answered Dec 17 '15 at 11:59

JamieB

1,608
18
20

This is deprecated, the new configuration name is `server.servlet.session.cookie.name` – emazzotta Oct 17 '18 at 13:24

Andy Wilkinson · Answer 2 · 2019-05-24T09:27:47.007

26

Declare a ServletContextInitializer bean in your application's configuration:

@Bean
public ServletContextInitializer servletContextInitializer() {
    return new ServletContextInitializer() {

        @Override
        public void onStartup(ServletContext servletContext) throws ServletException {
            servletContext.getSessionCookieConfig().setName("yourCookieName");
        }
    };

}

Alternatively, your application class itself can implement ServletContextInitializer:

@Configuration
@EnableAutoConfiguration
@ComponentScan
public class Application implements ServletContextInitializer {

    public static void main(String[] args) throws Exception {
        SpringApplication.run(Application.class, args);
    }

    @Override
    public void onStartup(ServletContext servletContext) throws ServletException {
        servletContext.getSessionCookieConfig().setName("yourCookieName");
    }

}

edited May 24 '19 at 09:27

answered Sep 18 '14 at 17:16

Andy Wilkinson

85,432
19
215
204

2

Great job Mr.Wilkinson have been searching this for some time now! Keep up the good work. – Lazar Lazarov Jan 11 '17 at 11:17
Wildfly users: This was the only solution that worked for setting the JSESSIONID path (setting the server.servlet.session.cookie.path did NOT). – java-addict301 May 23 '19 at 21:37
Second note for Wildfly users. I had to add super.onStartup(servletContext); to the beginning of the onStartup method, otherwise my CORS configuration/headers got blown away. Tomcat didn't seem to need this. – java-addict301 May 23 '19 at 21:41
@java-addict301, you can't call `super.onStartup(servletContext)` in this case. The superclass of both the anonymous inner-class (my first example) and `Application` (my second example) is `Object` and it has no `onStartup(ServletContext)` method so attempting to call `super.onStartup(servletContext)` won't compile. Perhaps your `ServletContextInitializer` has a different superclass? – Andy Wilkinson May 24 '19 at 09:32
Ah yes you're right, I'm overriding this in my main @SpringBootApplication class (which extends SpringBootServletInitializer). I'm on Spring Boot version 2.1.1 – java-addict301 May 24 '19 at 13:14

score 3 · Answer 3 · answered Feb 15 '17 at 03:35

with spring session , if you want to change cookie name ,you can do this

@Bean
public DefaultCookieSerializer defaultCookieSerializer(){
    DefaultCookieSerializer defaultCookieSerializer = new DefaultCookieSerializer();
    defaultCookieSerializer.setCookieName("mySessionId");
    return defaultCookieSerializer;
}

i find this in spring session source

spring-session-1.2.1.RELEASE-sources.jar!/org/springframework/session/config/annotation/web/http/SpringHttpSessionConfiguration.java

    @Autowired(required = false)
public void setCookieSerializer(CookieSerializer cookieSerializer) {
    this.defaultHttpSessionStrategy.setCookieSerializer(cookieSerializer);
}

score -1 · Answer 4 · edited Jun 08 '18 at 12:45

-1

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).and()
    .csrf().disable();  
}

You can try this as it removes jsession id from URL

edited Jun 08 '18 at 12:45

Ole V.V.

65,573
11
96
117

answered Jun 08 '18 at 12:06

bhagyashri S. I.

1

10

Kill a patient if he has a disease. Nice answer – iamareebjamal Aug 21 '18 at 16:04
@iamareebjamal hahahha! made my day :D – Arny May 04 '19 at 16:02

Spring boot configure custom jsessionid for embedded server

4 Answers4

Linked