Tomcat has a context attribute named useHttpOnly
which checks:
Should the HttpOnly flag be set on session cookies to prevent client side script from accessing the session ID? Defaults to true.
So you need to set it to false. The configuration linked applies to non-embedded Tomcat servers. We need to find a way to do it with embedded Tomcat.
Here's how you do it. You declare a @Bean
method for adding a EmbeddedServletContainerFactory
to the context. You configure the returned TomcatEmbeddedServletContainerFactory
by specifying a TomcatContextCustomizer
which configures the appropriate property.
@Bean
public EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
factory.setTomcatContextCustomizers(Arrays.asList(new CustomCustomizer()));
return factory;
}
static class CustomCustomizer implements TomcatContextCustomizer {
@Override
public void customize(Context context) {
context.setUseHttpOnly(false);
}
}
This solution works because you are using Tomcat. With different Servlet containers, the solution would be different.