This is a quick guide on how to use cookies in Spring Boot.


Outline of this article

HTTP cookies (also known as Web cookies , browser cookies ) are small pieces of data that the server stores in the user’s browser. The server-side application sets a cookie when it returns a response to the browser request, the browser stores the cookies, and automatically brings them back to the server-side application when the next request is sent together.

Cookies provide a way to exchange information between the server and the browser to manage sessions (login, shopping cart, game score), remember user preferences (themes, privacy policy acceptance), and track user behavior across the site. Cookies to a certain extent relieve the pressure on the server side, because part of the data is stored on the browser side, so this part of the data cannot be data related to application security. In this article, we will learn how to read, set, and delete HTTP cookies in a Spring Boot application.

Reading HTTP cookies

The Spring framework provides @CookieValueannotations to get the value of HTTP cookies. This annotation can be used directly in controller method parameters.

public String readCookie(@CookieValue(value = "username", 
                         defaultValue = "Atta") String username) {
    return "Hey! My username is " + username;

Please note in the above code snippet defaultValue = "Atta". If no default value is set and no cookie named username is found, Spring will throw java.lang.IllegalStateExceptionan exception.

Setting HTTP cookies

To set cookies in Spring Boot, we can use HttpServletResponsemethods of the class addCookie(). All you need to do is create a new Cookieobject and add it to the response.

public String setCookie(HttpServletResponse response) {

    Cookie cookie = new Cookie("username", "Jovan");


    return "Username is changed!";

Read all cookies []

In addition to using @CookieValueannotations, we can also use a HttpServletRequestclass as a controller method parameter to read all cookies. This class provides getCookies()methods that return all the cookies sent by the browser as an array.

public String readAllCookies(HttpServletRequest request) {

    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
                .map(c -> c.getName() + "=" + c.getValue())
                .collect(Collectors.joining(", "));

    return "No cookies";

Set an expiration time for cookies

If no expiration time is specified for a cookie, its lifetime will continue until the Session expires. Such cookies are called session cookies . Session cookies remain active until the user closes their browser or clears their cookies. But you can override this default behavior and use a class setMaxAge()method to set the cookie expiration time.

Cookie cookie = new Cookie("username", "Jovan");
cookie.setMaxAge(7 * 24 * 60 * 60); 


Now, usernamecookies do not expire due to the end of Seesion, but remain valid for the next 7 days. setMaxAge()The expiration time passed to the method is in seconds. The expiration date and time are relative to the client who set the cookie, not the server.

Https and cookies

We need to understand a concept: what are the secure cookies? A secure cookie is a cookie that can only be sent to the server over an encrypted HTTPS connection. Cookies cannot be sent to the server over an unencrypted HTTP connection. In other words, if setSecure (true) is set, the cookie cannot be transmitted in the Http connection, it can only be transmitted in the Https connection.

Cookie cookie = new Cookie("username", "Jovan");


HttpOnly Cookie

HttpOnly cookies are used to prevent cross-site scripting (XSS) attacks, that is, cookies with Http Only set cannot be Document.cookieaccessed through the JavaScript API, and can only be accessed by server programs on the server side.

Cookie cookie = new Cookie("username", "Jovan");


Deleting Cookies

To delete cookies, you need to Max-Ageset it to 0 and set the value of the cookie to null. Do not set the Max-Ageinstruction value to a -1negative number. Otherwise, the browser will treat it as a session cookie.

Cookie cookie = new Cookie("username", null);