This guide describes how to configure Spring Session to use custom cookies with Java Configuration. The guide assumes you have already setup Spring Session in your project.

The completed guide can be found in the Custom Cookie sample application.

Once you have setup Spring Session you can easily customize how the session cookie is written by exposing a CookieSerializer as a Spring Bean. Out of the box, Spring Session comes with DefaultCookieSerializer. Simply exposing the DefaultCookieSerializer as a Spring Bean will augment the existing configuration when using configurations like @EnableRedisHttpSession. You can find an example of customizing Spring Session’s cookie below:

	@Bean
	public CookieSerializer cookieSerializer() {
		DefaultCookieSerializer serializer = new DefaultCookieSerializer();
		serializer.setCookieName("JSESSIONID"); (1)
		serializer.setCookiePath("/"); (2)
		serializer.setDomainNamePattern("^.+?\\.(\\w+\\.[a-z]+)$"); (3)
		return serializer;
	}
1 We customize the name of the cookie to be JSESSIONID
2 We customize the path of the cookie to be "/" (rather than the default of the context root)
3 We customize the domain name pattern (a regular expression) to be ^.?\\.(\\w\\.[a-z]+)$ This allows sharing a session across domains and applications. If the regular expression does not match, no domain is set and the existing domain will be used. If the regular expression matches, the first grouping will be used as the domain. This means that a request to https://child.example.com will set the domain to example.com. However, a request to http://localhost:8080/ or http://192.168.1.100:8080/ will leave the cookie unset and thus still work in development without any changes necessary for production.

It is important to note that users should only match on valid domain characters since the domain name is reflected in the response. This is prevent a malicious user from performing attacks like HTTP Response Splitting.

The configuration options available are:

  • cookieName - the name of the cookie to use Default "SESSION"

  • useSecureCookie - specify if a secure cookie be used Default use value of HttpServletRequest.isSecure() at the time of creation.

  • cookiePath - the path of the cookie Default is context root

  • cookieMaxAge - specifies the max age of the cookie to be set at the time the session is created. Default is -1 which indicates the cookie will be removed when the browser is closed.

  • jvmRoute - specifies a suffix to be appended to the session id and included in the cookie. Used to identify which JVM to route to for session affinity. With some implementations (i.e. Redis) this provides no performance benefit. However, this can help with tracing logs of a particular user.

  • domainName - allows specifying a specific domain name to be used for the cookie. This option is simple to understand, but will likely require a different configuration between development and production environments. See domainNamePattern as an alternative.

  • domainNamePattern - a case insensitive pattern used to extract the domain name from the HttpServletRequest#getServerName(). The pattern should provide a single grouping used to extract the value of the cookie domain. If the regular expression does not match, no domain is set and the existing domain will be used. If the regular expression matches, the first grouping will be used as the domain.

It is important to note that users should only match on valid domain characters since the domain name is reflected in the response. This is prevent a malicious user from performing attacks like HTTP Response Splitting.

You can run the sample by obtaining the source code and invoking the following command:

For the sample to work, you must install Redis 2.8+ on localhost and run it with the default port (6379). Alternatively, you can update the LettuceConnectionFactory to point to a Redis server.

$ ./gradlew :samples:custom-cookie:tomcatRun

You should now be able to access the application at http://localhost:8080/

Try using the application. Fill out the form with the following information:

  • Attribute Name: username

  • Attribute Value: rob

Now click the Set Attribute button. You should now see the values displayed in the table.

If you look at the cookies for the application, you can see the cookie is saved to the custom name of JSESSIONID