Nick Humrich Nick Humrich - 7 months ago 143
Java Question

Turn off HttpOnly Spring boot

I would like to turn off HttpOnly sessions which I believe are default for Spring Boot.
How would I turn off HttpOnly on spring boot?

I currently have code such as:

@RequestMapping(value = "/stuff", method = GET)
public @ResponseBody
myObject doStuff(HttpSession session)
session.setAttribute("foo", "bar");
return new MyObject();

This returns a response header on the HTTP call:

Set-Cookie: JSESSIONID=D14846D9767B6404F1FB4B013AB66FB3; Path=/; HttpOnly

Note the HttpOnly flag. I would like to turn that off. How do I do so?

Side note: Yes I know that httpOnly is a security feature and by turning it off allows javascript to access my cookie i.e. XSS.

Also, I do not have any configuration other than default.

public class WebApplication {

public static void main(String[] args) {
SpringApplication app = new SpringApplication(WebApplication.class);;


Tomcat has a context attribute named useHttpOnly which checks:

Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to true.

So you need to set it to false. The configuration linked applies to non-embedded Tomcat servers. We need to find a way to do it with embedded Tomcat.

Here's how you do it. You declare a @Bean method for adding a EmbeddedServletContainerFactory to the context. You configure the returned TomcatEmbeddedServletContainerFactory by specifying a TomcatContextCustomizer which configures the appropriate property.

public EmbeddedServletContainerFactory servletContainer() {
    TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
    factory.setTomcatContextCustomizers(Arrays.asList(new CustomCustomizer()));
    return factory;

static class CustomCustomizer implements TomcatContextCustomizer {
    public void customize(Context context) {

This solution works because you are using Tomcat. With different Servlet containers, the solution would be different.