Spring Security SEC-1844: Add the HTTPonly flag to the rememberMe cookie even it is not Servlet 3.0 API

Michael Furman (Migrated from SEC-1844) said:

Hi! It is important to add the HTTPonly flag to the rememberMe cookie. Version 3.1.0 is the first version that add the flag to the cookie. Unfortunately, it happens only if it is Servlet 3.0 API I think it is important to do it for any Servlet API specifications. The provided patch allow to add the HTTPonly flag to the rememberMe cookie even it is not Servlet 3.0 API Best regards, Michael

Comment From: rwinch

Spring Framework requires Servlet 3.1+ now.

As of Spring Framework 5.0, Spring requires the Java EE 7 level (e.g. Servlet 3.1+, JPA 2.1+) as a minimum - while at the same time providing out-of-the-box integration with newer APIs at the Java EE 8 level (e.g. Servlet 4.0, JSON Binding API) when encountered at runtime. This keeps Spring fully compatible with e.g. Tomcat 8 and 9, WebSphere 9, and JBoss EAP 7.