When combining Spring Security features (e.g. OAuth2) with Spring Cloud Gateway you might run into Problems with overlapping session cookies because the gateway itself and the downstream service need a session cookie. In such cases a duplicate session cookie would result in errors of Spring Security and/or the downstream service. In some cases it may be hard to rename the session cookie of the downstream service.
Customizing the name of the session cookie of WebFlux would help but is currently not supported by properties. I suggest to extend WebFluxProperties.Cookie by a property name which should be used by WebFluxAutoConfiguration.
I tried out a work around creating a custom WebSessionManager bean with is working fine but I think it would help if this functionality, which seems easy to implement, would work out of the box. I could help creating a pull request if this enhancement is approved.
Comment From: philwebb
You should be able to create a CookieWebSessionIdResolver bean with and use addCookieInitializer if you want to customize the cookie.
It does seem to me that we're quite light on properties in WebFluxProperties.Cookie, especially compared to the servlet equivelent. Looking at ResponseCookieBuilder there certainly seems to be a lot more that we could surface.
Flagging for team attention in case anyone remembers a reason why we didn't do that by default. I'd personally be in favor of adding some more properties.
Comment From: philwebb
@aburmeis A pull-request would be most welcome as it would give us something concrete to discuss, but I wouldn't spend too long on it until we've had a chance to discuss it on a team call (which will sometime after Spring One).
Comment From: snicoll
We already have a PR related to this, see https://github.com/spring-projects/spring-boot/pull/26714
Comment From: aburmeis
@snicoll cool, missed that - so now we have an issue for the changes ;-)
Comment From: philwebb
Let's use #26714 to track this one. Thanks for the reminder @snicoll.