Integration with spring-session

[jgogstad]

Using spring-session to implement persistent database sessions, one can no longer use the session configuration in the spring-boot documentation, like server.session.cookie.secure or server.session.cookie.http-only.

Spring-boot configures javax.servlet.SessionCookieConfig through org.springframework.boot.autoconfigure.web.ServerProperties.SessionConfiguringInitializer and relies on the servlet container to use this configuration for cookies. For some reason, spring-session is configured its own way and doesn't even consider reading any SessionCookieConfig.

Spring-boot should either provide a org.springframework.session.web.http.CookieSerializer that propagates configuration from SessionCookieConfiguration, or the problem should be fixed in spring-session.

Maybe we could get a maven artifact spring-boot-starter-session that configures this? Spring session seems to be configured differently from any other spring framework with Spring Boot (documentation)

[wilkinsona]

Before we decide what to do, @rwinch can you please comment on Spring Session's configuration approach and the possibility of it using SessionCookieConfig?

[wilkinsona]

Maybe we could get a maven artifact spring-boot-starter-session that configures this?

Boot's own starters don't actually contain any code. The code's in spring-boot-autoconfigure. The starters are just a short way of adding several dependencies to your app as one. We don't have one for Spring Session is there's only one module that you'd definitely want (spring-session). Whatever else you'd need then depends on which session repository you're using.

[jgogstad]

Ah, I'm not familiar with the architecture around starters I'm afraid. Having org.springframework.session:spring-session and then the starter for your datastore is fine I guess.

Anyway, the real case for this issue is making the integration with spring-session more seamless. You either need to change the defaults of org.springframework.session.web.http.DefaultCookieSerializer or place a custom spring-boot implementation somewhere.

[rwinch]

This looks like a duplicate of spring-projects/spring-session#87

While we would love this issue to be resolved, we have been busy with other higher priority issues. Contributions welcome :)

[snicoll]

Duplicates spring-projects/spring-session#87