org.springframework.session.web.http

Class DefaultCookieSerializer

java.lang.Object

org.springframework.session.web.http.DefaultCookieSerializer

All Implemented Interfaces:

CookieSerializer

public class DefaultCookieSerializer
extends java.lang.Object
implements CookieSerializer

The default implementation of CookieSerializer.

Since:

1.1

Nested Class Summary

Nested classes/interfaces inherited from interface org.springframework.session.web.http.CookieSerializer

CookieSerializer.CookieValue

Constructor Summary

Constructors

Constructor and Description
DefaultCookieSerializer()

Method Summary

Modifier and Type	Method and Description
java.util.List<java.lang.String>	readCookieValues(javax.servlet.http.HttpServletRequest request) Reads all the matching cookies from the HttpServletRequest.
void	setCookieMaxAge(int cookieMaxAge) Sets the maxAge property of the Cookie.
void	setCookieName(java.lang.String cookieName)
void	setCookiePath(java.lang.String cookiePath) Sets the path of the Cookie.
void	setDomainName(java.lang.String domainName) Sets an explicit Domain Name.
void	setDomainNamePattern(java.lang.String domainNamePattern) Sets a case insensitive pattern used to extract the domain name from the ServletRequest.getServerName().
void	setJvmRoute(java.lang.String jvmRoute) Used to identify which JVM to route to for session affinity.
void	setRememberMeRequestAttribute(java.lang.String rememberMeRequestAttribute) Set the request attribute name that indicates remember-me login.
void	setSameSite(java.lang.String sameSite) Set the value for the SameSite cookie directive.
void	setUseBase64Encoding(boolean useBase64Encoding) Set if the Base64 encoding of cookie value should be used.
void	setUseHttpOnlyCookie(boolean useHttpOnlyCookie) Sets if a Cookie marked as HTTP Only should be used.
void	setUseSecureCookie(boolean useSecureCookie) Sets if a Cookie marked as secure should be used.
void	writeCookieValue(CookieSerializer.CookieValue cookieValue) Writes a given CookieSerializer.CookieValue to the provided HttpServletResponse.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DefaultCookieSerializer

public DefaultCookieSerializer()

Method Detail

readCookieValues

public java.util.List<java.lang.String> readCookieValues(javax.servlet.http.HttpServletRequest request)

Description copied from interface: CookieSerializer

Reads all the matching cookies from the HttpServletRequest. The result is a List since there can be multiple Cookie in a single request with a matching name. For example, one Cookie may have a path of / and another of /context, but the path is not transmitted in the request.

Specified by:

readCookieValues in interface CookieSerializer

Parameters:

request - the HttpServletRequest to read the cookie from. Cannot be null.

Returns:

the values of all the matching cookies

writeCookieValue

public void writeCookieValue(CookieSerializer.CookieValue cookieValue)

Description copied from interface: CookieSerializer

Writes a given CookieSerializer.CookieValue to the provided HttpServletResponse.

Specified by:

writeCookieValue in interface CookieSerializer

Parameters:

cookieValue - the CookieSerializer.CookieValue to write to CookieSerializer.CookieValue.getResponse(). Cannot be null.

setUseSecureCookie

public void setUseSecureCookie(boolean useSecureCookie)

Sets if a Cookie marked as secure should be used. The default is to use the value of ServletRequest.isSecure().

Parameters:

useSecureCookie - determines if the cookie should be marked as secure.

setUseHttpOnlyCookie

public void setUseHttpOnlyCookie(boolean useHttpOnlyCookie)

Sets if a Cookie marked as HTTP Only should be used. The default is true.

Parameters:

useHttpOnlyCookie - determines if the cookie should be marked as HTTP Only.

setCookiePath

public void setCookiePath(java.lang.String cookiePath)

Sets the path of the Cookie. The default is to use the context path from the HttpServletRequest.

Parameters:

cookiePath - the path of the Cookie. If null, the default of the context path will be used.

setCookieName

public void setCookieName(java.lang.String cookieName)

setCookieMaxAge

public void setCookieMaxAge(int cookieMaxAge)

Sets the maxAge property of the Cookie. The default is to delete the cookie when the browser is closed.

Parameters:

cookieMaxAge - the maxAge property of the Cookie (defined in seconds)

setDomainName

public void setDomainName(java.lang.String domainName)

Sets an explicit Domain Name. This allow the domain of "example.com" to be used when the request comes from www.example.com. This allows for sharing the cookie across subdomains. The default is to use the current domain.

Parameters:

domainName - the name of the domain to use. (i.e. "example.com")

Throws:

java.lang.IllegalStateException - if the domainNamePattern is also set

setDomainNamePattern

public void setDomainNamePattern(java.lang.String domainNamePattern)

Sets a case insensitive pattern used to extract the domain name from the ServletRequest.getServerName(). The pattern should provide a single grouping that defines what the value is that should be matched. User's should be careful not to output malicious characters like new lines to prevent from things like HTTP Response Splitting.

If the pattern does not match, then no domain will be set. This is useful to ensure the domain is not set during development when localhost might be used.

An example value might be "^.+?\\.(\\w+\\.[a-z]+)$". For the given input, it would provide the following explicit domain (null means no domain name is set):

• example.com - null
• child.sub.example.com - example.com
• localhost - null
• 127.0.1.1 - null

Parameters:

domainNamePattern - the case insensitive pattern to extract the domain name with

Throws:

java.lang.IllegalStateException - if the domainName is also set

setJvmRoute

public void setJvmRoute(java.lang.String jvmRoute)

Used to identify which JVM to route to for session affinity. With some implementations (i.e. Redis) this provides no performance benefit. However, this can help with tracing logs of a particular user. This will ensure that the value of the cookie is formatted as

sessionId + "." jvmRoute

To use set a custom route on each JVM instance and setup a frontend proxy to forward all requests to the JVM based on the route.

Parameters:

jvmRoute - the JVM Route to use (i.e. "node01jvmA", "n01ja", etc)

setUseBase64Encoding

public void setUseBase64Encoding(boolean useBase64Encoding)

Set if the Base64 encoding of cookie value should be used. This is valuable in order to support RFC 6265 which recommends using Base 64 encoding to the cookie value.

Parameters:

useBase64Encoding - the flag to indicate whether to use Base64 encoding

setRememberMeRequestAttribute

public void setRememberMeRequestAttribute(java.lang.String rememberMeRequestAttribute)

Set the request attribute name that indicates remember-me login. If specified, the cookie will be written as Integer.MAX_VALUE.

Parameters:

rememberMeRequestAttribute - the remember-me request attribute name

Since:

1.3.0

setSameSite

public void setSameSite(java.lang.String sameSite)

Set the value for the SameSite cookie directive. The default value is Lax.

Parameters:

sameSite - the SameSite directive value

Since:

2.1.0