NFC-47 Configure session cookie with Secure, HttpOnly, and SameSite=Lax for mobile auth flow

Author: SanderKondratjevNortal

example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java

@@ -24,19 +24,27 @@
 
 import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
 import org.springframework.boot.web.embedded.tomcat.TomcatContextCustomizer;
+import org.springframework.boot.web.servlet.ServletContextInitializer;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
-public class SameSiteCookieConfiguration implements WebMvcConfigurer {
+public class SameSiteCookieConfiguration {
 
     @Bean
-    public TomcatContextCustomizer configureSameSiteCookies() {
+    public TomcatContextCustomizer sameSiteCustomizer() {
         return context -> {
-            final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();
+            Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();
             cookieProcessor.setSameSiteCookies("lax");
             context.setCookieProcessor(cookieProcessor);
         };
     }
+
+    @Bean
+    public ServletContextInitializer cookieFlagsInitializer() {
+        return servletContext -> {
+            servletContext.getSessionCookieConfig().setSecure(true);
+            servletContext.getSessionCookieConfig().setHttpOnly(true);
+        };
+    }
 }