Package org.springframework.session.web.http

Class DefaultCookieSerializer

java.lang.Object
org.springframework.session.web.http.DefaultCookieSerializer
All Implemented Interfaces:
CookieSerializer
public class DefaultCookieSerializer extends Object implements CookieSerializer
The default implementation of CookieSerializer.
Since:
1.1

  • Constructor Details

    • DefaultCookieSerializer

      public DefaultCookieSerializer()

  • Method Details

    • readCookieValues

      public List<String> readCookieValues(jakarta.servlet.http.HttpServletRequest request)
      Description copied from interface: CookieSerializer
      Reads all the matching cookies from the HttpServletRequest. The result is a List since there can be multiple Cookie in a single request with a matching name. For example, one Cookie may have a path of / and another of /context, but the path is not transmitted in the request.
      Specified by:
      readCookieValues in interface CookieSerializer
      Parameters:
      request - the HttpServletRequest to read the cookie from. Cannot be null.
      Returns:
      the values of all the matching cookies

    • writeCookieValue

      public void writeCookieValue(CookieSerializer.CookieValue cookieValue)
      Description copied from interface: CookieSerializer
      Writes a given CookieSerializer.CookieValue to the provided HttpServletResponse.
      Specified by:
      writeCookieValue in interface CookieSerializer
      Parameters:
      cookieValue - the CookieSerializer.CookieValue to write to CookieSerializer.CookieValue.getResponse(). Cannot be null.

    • setUseSecureCookie

      public void setUseSecureCookie(boolean useSecureCookie)
      Sets if a Cookie marked as secure should be used. The default is to use the value of ServletRequest.isSecure().
      Parameters:
      useSecureCookie - determines if the cookie should be marked as secure.

    • setUseHttpOnlyCookie

      public void setUseHttpOnlyCookie(boolean useHttpOnlyCookie)
      Sets if a Cookie marked as HTTP Only should be used. The default is true.
      Parameters:
      useHttpOnlyCookie - determines if the cookie should be marked as HTTP Only.

    • setCookiePath

      public void setCookiePath(String cookiePath)
      Sets the path of the Cookie. The default is to use the context path from the HttpServletRequest.
      Parameters:
      cookiePath - the path of the Cookie. If null, the default of the context path will be used.

    • setCookieName

      public void setCookieName(String cookieName)

    • setCookieMaxAge

      public void setCookieMaxAge(int cookieMaxAge)
      Sets the maxAge property of the Cookie. The default is to delete the cookie when the browser is closed.
      Parameters:
      cookieMaxAge - the maxAge property of the Cookie (defined in seconds)

    • setDomainName

      public void setDomainName(String domainName)
      Sets an explicit Domain Name. This allow the domain of "example.com" to be used when the request comes from www.example.com. This allows for sharing the cookie across subdomains. The default is to use the current domain.
      Parameters:
      domainName - the name of the domain to use. (i.e. "example.com")
      Throws:
      IllegalStateException - if the domainNamePattern is also set

    • setDomainNamePattern

      public void setDomainNamePattern(String domainNamePattern)

      Sets a case insensitive pattern used to extract the domain name from the ServletRequest.getServerName(). The pattern should provide a single grouping that defines what the value is that should be matched. User's should be careful not to output malicious characters like new lines to prevent from things like HTTP Response Splitting.

      If the pattern does not match, then no domain will be set. This is useful to ensure the domain is not set during development when localhost might be used.

      An example value might be "^.+?\\.(\\w+\\.[a-z]+)$". For the given input, it would provide the following explicit domain (null means no domain name is set):

      • example.com - null
      • child.sub.example.com - example.com
      • localhost - null
      • 127.0.1.1 - null
      Parameters:
      domainNamePattern - the case insensitive pattern to extract the domain name with
      Throws:
      IllegalStateException - if the domainName is also set

    • setJvmRoute

      public void setJvmRoute(String jvmRoute)

      Used to identify which JVM to route to for session affinity. With some implementations (i.e. Redis) this provides no performance benefit. However, this can help with tracing logs of a particular user. This will ensure that the value of the cookie is formatted as

      sessionId + "." jvmRoute

      To use set a custom route on each JVM instance and setup a frontend proxy to forward all requests to the JVM based on the route.

      Parameters:
      jvmRoute - the JVM Route to use (i.e. "node01jvmA", "n01ja", etc)

    • setUseBase64Encoding

      public void setUseBase64Encoding(boolean useBase64Encoding)
      Set if the Base64 encoding of cookie value should be used. This is valuable in order to support RFC 6265 which recommends using Base 64 encoding to the cookie value.
      Parameters:
      useBase64Encoding - the flag to indicate whether to use Base64 encoding

    • setRememberMeRequestAttribute

      public void setRememberMeRequestAttribute(String rememberMeRequestAttribute)
      Set the request attribute name that indicates remember-me login. If specified, the cookie will be written as Integer.MAX_VALUE.
      Parameters:
      rememberMeRequestAttribute - the remember-me request attribute name
      Since:
      1.3.0

    • setSameSite

      public void setSameSite(String sameSite)
      Set the value for the SameSite cookie directive. The default value is Lax.
      Parameters:
      sameSite - the SameSite directive value
      Since:
      2.1.0

    • getRememberMeRequestAttribute

      public String getRememberMeRequestAttribute()
      Gets the name of the request attribute that is checked to see if the cookie should be written with Integer.MAX_VALUE.
      Returns:
      the remember me request attribute
      Since:
      3.2