Turn off HttpOnly Spring boot

At least on Spring Boot >= 1.4, it's even easier, just use the following property:

server.servlet.session.cookie.http-only= # "HttpOnly" flag for the session cookie. configuration property.

as documented in the official documentation.


server.servlet.session.cookie.http-only=false 

(Property updated)

Reference https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html


Another alternative to the accepted answer that fits into spring boot is overriding the customize method of your EmbeddedServletContainerCustomizer.

First, implement the interface:

@Configuration
@ComponentScan
@EnableAutoConfiguration
public class Application implements EmbeddedServletContainerCustomizer

Then add an override for the customize method:

@Override
public void customize(final ConfigurableEmbeddedServletContainer container)
{
    ((TomcatEmbeddedServletContainerFactory) container).addContextCustomizers(new TomcatContextCustomizer()
    {
        @Override
        public void customize(Context context)
        {
            context.setUseHttpOnly(false);
        }
    });
}

Incidentally, I found that the httpOnly wasn't being set at all for me .. so I had to use this method to turn httpOnly on (obviously my setting above is 'true').

You can also use this method to adjust other things in tomcat, such as turning on gzip for json and expanding the max http headersize (in the case of kerberos authentication I needed to do this):

((TomcatEmbeddedServletContainerFactory) container).addConnectorCustomizers(new TomcatConnectorCustomizer()
{
    @Override
    public void customize(final Connector connector)
    {
        AbstractHttp11Protocol httpProtocol = (AbstractHttp11Protocol) connector.getProtocolHandler();
        httpProtocol.setMaxHttpHeaderSize(65536);
        httpProtocol.setCompression("on");
        httpProtocol.setCompressionMinSize(256);
        String mimeTypes = httpProtocol.getCompressableMimeTypes();
        String mimeTypesWithJson = mimeTypes + "," + MediaType.APPLICATION_JSON_VALUE;
        httpProtocol.setCompressableMimeTypes(mimeTypesWithJson);
    }
});