server.session.cookie.max-age doesn't seem to work

Question

I added in my configuration the following property:

server.session.cookie.max-age=3600

The Set-Cookie HTTP header is:

Set-Cookie: JSESSIONID=3407BD3E1C7153D70EFC5DBD16B059E4; Path=/; Secure; HttpOnly

So it seems like Spring ignores this property. Is it deprecated? If not, why isn't it working?

Here's my configuration:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
            .formLogin()
            .successForwardUrl("/")
            .defaultSuccessUrl("/", true)
            .permitAll()
            .and()
            .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .deleteCookies("JSESSIONID")
            .invalidateHttpSession(true)
            .and()
            .rememberMe()
            .key("key")
            .tokenValiditySeconds(86400);
}

Answer 1

With Spring Boot 2.1.4 you have to use the property server.servlet.session.cookie.max-age instead of server.session.cookie.max-age, see Spring Boot Reference Guide:

Appendix A. Common application properties

Various properties can be specified inside your application.properties file, inside your application.yml file, or as command line switches. This appendix provides a list of common Spring Boot properties and references to the underlying classes that consume them.

[...]

# EMBEDDED SERVER CONFIGURATION (ServerProperties)
[...]
server.servlet.session.cookie.max-age= # Maximum age of the session cookie. If a duration suffix is not specified, seconds will be used.

and Spring Boot 2.0.0 RC1 Configuration Changelog.