Nick Humrich Nick Humrich - 21 days ago 14
Java Question

Turn off HttpOnly Spring boot

I would like to turn off HttpOnly sessions which I believe are default for Spring Boot.
How would I turn off HttpOnly on spring boot?

I currently have code such as:

@RequestMapping(value = "/stuff", method = GET)
public @ResponseBody
myObject doStuff(HttpSession session)
{
session.setAttribute("foo", "bar");
return new MyObject();
}


This returns a response header on the HTTP call:

Set-Cookie: JSESSIONID=D14846D9767B6404F1FB4B013AB66FB3; Path=/; HttpOnly


Note the HttpOnly flag. I would like to turn that off. How do I do so?

Side note: Yes I know that httpOnly is a security feature and by turning it off allows javascript to access my cookie i.e. XSS.

Also, I do not have any configuration other than default.

@ComponentScan
@EnableAutoConfiguration
public class WebApplication {

public static void main(String[] args) {
SpringApplication app = new SpringApplication(WebApplication.class);
app.run(args);
}
}

Answer

Tomcat has a context attribute named useHttpOnly which checks:

Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to true.

So you need to set it to false. The configuration linked applies to non-embedded Tomcat servers. We need to find a way to do it with embedded Tomcat.

Here's how you do it. You declare a @Bean method for adding a EmbeddedServletContainerFactory to the context. You configure the returned TomcatEmbeddedServletContainerFactory by specifying a TomcatContextCustomizer which configures the appropriate property.

@Bean
public EmbeddedServletContainerFactory servletContainer() {
    TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
    factory.setTomcatContextCustomizers(Arrays.asList(new CustomCustomizer()));
    return factory;
}

static class CustomCustomizer implements TomcatContextCustomizer {
    @Override
    public void customize(Context context) {
        context.setUseHttpOnly(false);
    }
}

This solution works because you are using Tomcat. With different Servlet containers, the solution would be different.