Reputation: 527
Spring Auth Server - Cookies not being set
I'm working on a Spring Auth Server. I'm having problems setting Cookie parameters though, where they are not being set.
Here is my server log:
SESSION INFORMATION - AFTER SUCCESSFUL AUTHENTICATION
Session ID: 2E39E82F4C8014418E584564F5B4CE2E
Session Creation Time: 2024-08-11T09:07:30.655Z
Session Last Accessed Time: 2024-08-11T09:07:30.655Z
Session Timeout (seconds): 5
Session Expiration Time: 2024-08-11T09:07:35.655Z
-----------
SESSION COOKIE INFORMATION
Cookie Name: null
Cookie Path: null
Cookie Domain: null
Cookie Max Age: -1
Cookie Secure: false
Cookie HttpOnly: false
Cookie Attributes: {}
-----------
RESPONSE COOKIES INFORMATION
Cookie Name: JSESSIONID
Cookie Value: 2E39E82F4C8014418E584564F5B4CE2E
Path: /
Domain: null
Max-Age: null
Expires: null
Secure: false
HttpOnly: true
SameSite: null
The Response Cookie (JSESSIONID) is what I believe the Auth Server sets after each Session is created. The code that generates the above log information are in the Success and Failure handlers (see below)
Cookie Config
My Config Cookie Code looks like this (following the docs here: Spring Documentation on Cookies):
@Configuration
internal class CookiesConfig(
private val sessionProperties: SessionProperties
) {
@Bean
fun cookieSerializer(): CookieSerializer {
val serializer = DefaultCookieSerializer()
serializer.setCookieName(sessionProperties.SESSION_COOKIE_NAME)
serializer.setUseHttpOnlyCookie(sessionProperties.SESSION_COOKIE_HTTP_ONLY)
serializer.setUseSecureCookie(sessionProperties.SESSION_COOKIE_SECURE)
serializer.setSameSite(sessionProperties.SESSION_COOKIE_SAME_SITE)
serializer.setCookieMaxAge(sessionProperties.SESSION_COOKIE_MAX_AGE)
serializer.setCookiePath(sessionProperties.SESSION_COOKIE_PATH)
return serializer
}
}
Parameters
The parametes are set here (all my properties are in a file Application Properties):
@Component
internal class SessionProperties {
final val SESSION_MAX_AGE: Int = 5 // in seconds
final val SESSION_COOKIE_NAME: String = "AUTH-SESSIONID"
final val SESSION_COOKIE_HTTP_ONLY: Boolean = true
final val SESSION_COOKIE_SECURE: Boolean = false // scope is not just on secure connections
final val SESSION_COOKIE_SAME_SITE: String = "Strict"
final val SESSION_COOKIE_MAX_AGE: Int = 5 // in seconds
final val SESSION_COOKIE_PATH: String = "/"
final val REDIRECT_URL: String = "/session-expired"
}
Repository files
The relevant files for setting cookie information are:
Application Properties see "Session Properties" near the bottom
Main Security chain
Should CookieSerializer into the main security chain somewhere, for this synchronous Auth server, or some kind of Session Store so it's picked up by the Spring Application Context? It seems like it's being totally ignored. Even the name I set "AUTH-SESSIONID" is being ignored.
Here is my main security chain config:
Can someone please help?
Once I get this working, I was hoping to migrate all the in-memory storage to Spring Session and Redis.
Upvotes: 0
Views: 46
Answers (0)
Related Questions
- Spring Boot / Spring Security Cookies - Trouble renaming - Also Value is different to Session ID
- spring security 6.21version 403 fobiden error
- How can I configure a Spring OAuth2 Auth Server to act both as an Auth and Resource Server, securing endpoints independently of session context?
- Spring security + session : Receive "Set-Cookie" header but not set in browser
- When the Auth Server redirects to the SSO Proxy server it doesn't know the login was successful
- SECURE flag not appearing for JSESSIONID cookie
- Spring Security session without using cookies