Allow to customize the way the session cookie is created. Fixes #155 #141 #112 #106

[domdorn]

This allows to customize all parameters of the cookie to be generated and also allows to provide a strategy to manually calculate the contextPath (in case it needs a more complex logic to calculate it then just setting it from the request or setting it to a static value).

It includes test-cases and documentation in form of javadoc

[cemo]

I need to customize secure flag of Cookie as well.

+1

[domdorn]

@rwinch is there anything missing preventing this to be merged? I would really like to see this in 1.0.1 as right now, we have to provide our own CookieHttpSessionStrategy just to override how certain things in the cookie are set. Thx

[rwinch]

@domdorn Thanks for the quick responses. I am rather busy with getting Security 4.0 GA out right now so haven't had time to look at Spring Session.

After Security 4.0 GA I will be focusing on a 1.0.1 release. We will make sure something gets in 1.0.1 to resolve your issue.

[cbeattie-miovision]

I needed this as well. I needed to set the context path to a fixed value so I am glad to see that this is now possible in this PR.

The CookiePathCalculationStrategy is a nice touch but I wonder if it could be made a little more broad (and thus more useful). Clearly the purpose of the CookieHttpSessionStrategy class is to manage HTTP sessions via cookies and therefore the createSessionCookie() method is of critical importance. Wouldn't it be better to use the strategy pattern on the creation of the cookie itself rather than on only the path? For example:

public interface CookieCreationStrategy {
    Cookie createSessionCookie(HttpServletRequest, Map<String, String> sessionIds);
}

The default implementation (ie. DefaultCookieCreationStrategy()) could be exactly the same code that is currently in CookieHttpSessionStrategy.createSessionCookie() but using a strategy pattern would allow one to customize the way the cookie is created including things like setting the cookie domain or setting a custom path. One complication would be that createSessionCookie() currently uses some member variables but that isn't insurmountable.

Just a suggestion...but this approach seems a bit more flexible.

OR. Another far simpler approach would be to remove the final qualifier from CookieHttpSessionStrategy and allow for inheritance (noting the somewhat questionable value of doing so it certainly would be pragmatic).

[Youmoo]

👍
I need to customize cookie.domain , to allow all sub domains share same sessions.

[leonty]

Hi,

Any progress on this PR ? It's 8 months since it's been proposed while this functionality is required by many. I for instance have the same issue as @Youmoo.

[rwinch]

Thanks for the great request! I'm trying to aggregate all the feature requests for cookies, so we can solve this problem more holistically. Therefore, I'm closing this in favor of #299 which takes this feature into account.