Cookie http only with spring security and servlet 2.5?

Question

I want to make my cookie secure and http request only.

Ive seen many post like this and seem to work fine, but using configuration files and servlet +3.

What I basically want to do is to set my cookie http only and (if possible) ssl only as well.

So far I added this to my web.xml

    <session-config>
        <session-timeout>60</session-timeout>
        <cookie-config>
            <http-only>true</http-only>
        </cookie-config>
        <tracking-mode>COOKIE</tracking-mode>
    </session-config>

doesnt do anything, as far as I was reading, I also have to configure my servlet.xml to enable this feature, but I dont know how...

Any idea how to do this?

EDIT:

Since I am using servlets 2.5 the xml configuration is not an option, maybe a filter?

Answer 1

I hate XML configuration, so i spend some time for find non-XML solution.

Since Spring Security 1.3 you can use

server.session.cookie.http-only=true
server.session.cookie.secure=true

in your application.properties file.

Maybe there is a way to set this using pure Java Configuration, but i can't find them.

Answer 2

We ran across this issue recently. I tried the property settings for http-only, which worked locally, but not when we deployed to our test env. It's possible there were some default settings in the env overriding those local settings. What worked was to set the properties in a Spring config file:

@Bean
public ServletContextInitializer servletContextInitializer() {
    return new ServletContextInitializer() {
        @Override
        public void onStartup(ServletContext servletContext) throws ServletException {
            servletContext.setSessionTrackingModes(Collections.singleton(SessionTrackingMode.COOKIE));
            SessionCookieConfig sessionCookieConfig = servletContext.getSessionCookieConfig();
            sessionCookieConfig.setHttpOnly(true);
            sessionCookieConfig.setSecure(true);
        }
    };
}