When you use spring-session, e.g. to persist your session in reddis,this is indeed done automatically. The cookie is than created by org.springframework.session.web.http.CookieHttpSessionStrategy which in CookieHttpSessionStrategy#createSessionCookie checks if the request comes via HTTPS and sets secure accordingly:sessionCookie.setSecure(request.isSecure());如果您不使用 spring-session，则可以使用 ServletContextInitializer 配置安全 cookie.使用 应用程序属性，根据配置文件将其设置为 true/false.If you do not use spring-session, you can configure secure cookies using a ServletContextInitializer.Use a application property, to set it to true/false depending on a profile.@Beanpublic ServletContextInitializer servletContextInitializer(@Value("${secure.cookie}") boolean secure) { return new ServletContextInitializer() { @Override public void onStartup(ServletContext servletContext) throws ServletException { servletContext.getSessionCookieConfig().setSecure(secure); } };}application.properties(在配置文件prod"未激活时在开发中使用):application.properties (used in dev when profile 'prod' is not active):secure.cookie=falseapplication-prod.properties(仅在配置文件prod"处于活动状态时使用，覆盖 application.properties 中的值):application-prod.properties (only used when profile 'prod' is active, overwrites value in application.properties):secure.cookie=false使用以下命令在 prod 服务器上启动您的应用程序:start your application on the prod server with :--spring.profiles.active=prod如果您到目前为止还没有使用过配置文件，那么听起来似乎有些努力，但无论如何您很可能需要一个用于生产环境的配置文件，所以它真的很值得.Sounds like some effort, if you have not worked with profiles so far, but you will most likely need a profile for prod environment anyway, so its really worth it. 这篇关于spring 自动为 JSESSIONID cookie 添加安全标志的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！