我创建了一个快速且肮脏的spring-boot应用程序,这就是我想到的。
生成的ServletInitializer可以按以下方式更改:
package com.division6.bootr;import java.util.Collections;import javax.servlet.ServletContext;import javax.servlet.ServletException;import javax.servlet.SessioncookieConfig;import javax.servlet.SessionTrackingMode;import org.springframework.boot.builder.SpringApplicationBuilder;import org.springframework.boot.context.web.SpringBootServletInitializer;public class ServletInitializer extends SpringBootServletInitializer { @Override public void onStartup(ServletContext servletContext) throws ServletException { // This can be done here or as the last step in the method // Doing it in this order will initialize the Spring // framework first, doing it as last step will initialize // the Spring framework after the Servlet configuration is // established super.onStartup(servletContext); // This will set to use cookie only servletContext .setSessionTrackingModes( Collections.singleton(SessionTrackingMode.cookie) ); // This will prevent any JS on the page from accessing the // cookie - it will only be used/accessed by the HTTP transport // mechanism in use SessioncookieConfig sessioncookieConfig= servletContext.getSessioncookieConfig(); sessioncookieConfig.setHttponly(true); } @Override protected SpringApplicationBuilder configure(SpringApplicationBuilder application) { return application.sources(SpringBootrApplication.class); }}作者注
我不确定该何时引入,但是通过引入以下参数,无需编写代码即可实现相同的目的:
- server.servlet.session.cookie.http-only = true
- server.servlet.session.tracking-modes = cookie
