I would like to turn off HttpOnly sessions which I believe are default for Spring Boot. How would I turn off HttpOnly on spring boot?
I currently have code such as:
@RequestMapping(value = "/stuff", method = GET)
public @ResponseBody
myObject doStuff(HttpSession session)
{
session.setAttribute("foo", "bar");
return new MyObject();
}
This returns a response header on the HTTP call:
Set-Cookie: JSESSIONID=D14846D9767B6404F1FB4B013AB66FB3; Path=/; HttpOnly
Note the HttpOnly flag. I would like to turn that off. How do I do so?
Side note: Yes I know that httpOnly is a security feature and by turning it off allows javascript to access my cookie i.e. XSS.
Also, I do not have any configuration other than default.
@ComponentScan
@EnableAutoConfiguration
public class WebApplication {
public static void main(String[] args) {
SpringApplication app = new SpringApplication(WebApplication.class);
app.run(args);
}
}
They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work.
Press F12, go to the network tab, and then press Start Capturing. Back in IE then open the page you want to view. Back in the F12 window you show see all the individual HTTP requests, select the one that's the page or asset you're checking the cookies on and double click on it.
Because cookie data (and session IDs) can be stolen using Cross-Site Scripting (XSS), it is important to set cookies as being HTTPOnly. This setting makes cookies unavailable to JavaScript and prevents their theft using XSS.
Warning: Do not disable HTTP security as described in this post unless you have a good reason to. Spring is well-known for its convention over configuration approach where features works out of the box with sensible defaults.
At least on Spring Boot >= 1.4, it's even easier, just use the following property: server.servlet.session.cookie.http-only= # "HttpOnly" flag for the session cookie. configuration property. as documented in the official documentation.
Using IDE Most modern IDEs include a way to disable the Spring Boot banner without needing configuration or code. IntelliJ offers a checkbox for Spring Boot run configurations that will disable the banner: 5. Change Banner Text
But what happens when you want to disable such auto-configured features? There may be a common approach you can use, like using @SpringBootApplication ’s exclude property, e.g. @SpringBootApplication (exclude = SomeConfigurtionHere.class) . But this exclude property only works for configuration which is specifically auto-configuration.
Another alternative to the accepted answer that fits into spring boot is overriding the customize method of your EmbeddedServletContainerCustomizer
.
First, implement the interface:
@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application implements EmbeddedServletContainerCustomizer
Then add an override for the customize method:
@Override
public void customize(final ConfigurableEmbeddedServletContainer container)
{
((TomcatEmbeddedServletContainerFactory) container).addContextCustomizers(new TomcatContextCustomizer()
{
@Override
public void customize(Context context)
{
context.setUseHttpOnly(false);
}
});
}
Incidentally, I found that the httpOnly wasn't being set at all for me .. so I had to use this method to turn httpOnly on (obviously my setting above is 'true').
You can also use this method to adjust other things in tomcat, such as turning on gzip for json and expanding the max http headersize (in the case of kerberos authentication I needed to do this):
((TomcatEmbeddedServletContainerFactory) container).addConnectorCustomizers(new TomcatConnectorCustomizer()
{
@Override
public void customize(final Connector connector)
{
AbstractHttp11Protocol httpProtocol = (AbstractHttp11Protocol) connector.getProtocolHandler();
httpProtocol.setMaxHttpHeaderSize(65536);
httpProtocol.setCompression("on");
httpProtocol.setCompressionMinSize(256);
String mimeTypes = httpProtocol.getCompressableMimeTypes();
String mimeTypesWithJson = mimeTypes + "," + MediaType.APPLICATION_JSON_VALUE;
httpProtocol.setCompressableMimeTypes(mimeTypesWithJson);
}
});
server.servlet.session.cookie.http-only=false
(Property updated)
Reference https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With