Summary
Can we please allow for configuring the desired value of the "secure" flag for the XSRF-TOKEN cookie created by CookieCsrfTokenRepository?
Actual Behavior
The flag is always set based on the "isSecure" flag on the Http request: cookie.setSecure(request.isSecure());
Expected Behavior
While using the request's "isSecure" flag is a reasonable default, when webapps sit behind firewalls, sometimes the firewall does the SSL, and the traffic between the firewall and the app is plain HTTP (not HTTPS). In this case the "isSecure" flag on the request is always false, but we still want th XSRF-TOKEN cookie to be secure (the firewall forwards all cookies to the app, and the browser sends the secure cookie to the firewall).
It would be nice if we could configure the desired value for the secure flag of the cookie, just like we can configure the value for the httpOnly flag of the cookie.
Configuration
Version
I'm currently on 4.2.6.RELEASE
Sample
Comment From: Juan-Bustamante
Rob - it doesn't appear to me that the fix is indeed for this issue.
How does the change to "ServerHttpBasicAuthenticationConverter" enhance the "CookieCsrfTokenRepository"?
Comment From: izeye
The commit looks meant to close #5614 , not this one.
Comment From: sasikumar-swaminathan
@izeye, Indeed this issue was closed with the wrong commit I guess. I'm in desperate need of configurable secure flag for the exact same reason @Juan-Bustamante has mentioned above. Should we somehow notify Rob Winch about it?
Comment From: zcwang3
@rwinch do you close this issue intentionally or by accident? it seems that the feature enhancement requirement is still there and not fixed.
Should we report a new issue with same content?
Comment From: rwinch
@zcwang3 Thanks for pointing that out. It appears that the commit reference the wrong issue. I have reopened this ticket.
Comment From: rwinch
Closing in favour of gh-8749