Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I get Spring generated cookies to expire when browser is closed?

A Spring Boot app has REST services that set cookie values inside a Spring Controller and then send the cookies out to the client in the response using HttpServletResponse as follows:

response.addCookie(new Cookie("AUTH1", "no"));

But when I close firefox, then re-open firefox and call the app's url again, the cookie values are exactly the same. How can I make sure that cookie values are destroyed when the browser closes, so that the cookies do not exist when the browswer is re-opened? Can this be configured in the Spring Boot app? Or do I need to configure it in the front end app?


ONGOING EFFORTS:

Changing all the response.setCookie() lines in the backend REST controller to session.setAttribute() lines for the same key value pairs did not produce anything that the AngularJS client app could read using $cookies.get('keyname') even though they were the same key names. Is there a way to set session cookies in Spring controllers that will automatically be destroyed when the user closes their browser?

I also tried to implement @shazin's suggestion by using a method (because cookies are recreated many times in the controller class), but the problem is only partially resolved. Specifically, I took the following steps:

1.) I started with a couple of browser windows open, only one of which contained the app being tested.
2.) I changed all the code as shown below,
3.) then I killed the app with control-C and also killed the process running on the port.
4.) Then I mvn clean package
5.) and then I start up the app again with java -jar jarname, and load it up in a new InPrivate browser window.
6.) I use the logout method to remove any cookies that might have lingered from previous versions,
7.) then I use the GUI to trigger new cookie definitions, which work as intended.
8.) But then I test by closing the browser window that contains the app being tested and then re-opening a new browser window and navigating to the site again, but the cookie values are still there, so this approach has not solved the problem.
9.) Finally, I closed both open browser windows (each browser window has a few tabs of its own open. After closing all the browser windows, I opened a new browser window, and found that the cookies had been removed. So the approach below only works if you close ALL open browser windows and not just the browser window containing the app.

Here is the method that I wrote to implement @shazin's suggestion:

public Cookie getTempCookie(String key, String val){
    Cookie tempCookie = new Cookie(key, val);
    tempCookie.setMaxAge(-1);
    return tempCookie;
}

And here is how I call the method from the various url pattern handlers inside the controller:

response.addCookie(getTempCookie("AUTH1", "yes"));

What else can I do to get the cookies to be deleted when only the window containing the app gets closed? In its present form, there is still a security risk if a user closes their browser window without realizing that another browser window is still opened.

like image 913
CodeMed Avatar asked Feb 10 '16 01:02

CodeMed


1 Answers

What you can do is set Max Age of the Cookie to -1 which will not persist the cookie and will delete when the browser closes.

Cookie authCookie = new Cookie("AUTH1", "no");
authCookie.setMaxAge(-1);
response.addCookie(authCookie);

Javadoc for Max Age says the following

A negative value means that the cookie is not stored persistently and will be deleted when the Web browser exits. A zero value causes the cookie to be deleted.
like image 162
shazin Avatar answered Sep 24 '22 00:09

shazin