@Configuration

//WebMvcConfigurerAdapter在2.0.*中已作废，有WebMvcConfigurer，WebMvcConfigurationSupport两种方案。

//public class WebSecurityConfig extends WebMvcConfigurerAdapter{

public class WebSecurityConfig implements WebMvcConfigurer {

//public class WebSecurityConfig extends WebMvcConfigurationSupport {

            @Bean

            public ServletContextInitializer servletContextInitializer() {

                return new ServletContextInitializer() {

                    @Override

                    public void onStartup(ServletContext servletContext) throws ServletException {

                       servletContext.setSessionTrackingModes(Collections.singleton(SessionTrackingMode.COOKIE));

                       SessionCookieConfig sessionCookieConfig=servletContext.getSessionCookieConfig();

                       sessionCookieConfig.setHttpOnly(true);

                    }

                };

        }

}

@Configuration

//WebMvcConfigurerAdapter在2.0.*中已作废，有WebMvcConfigurer，WebMvcConfigurationSupport两种方案。

//public class WebSecurityConfig extends WebMvcConfigurerAdapter{

public class WebSecurityConfig implements WebMvcConfigurer {

//public class WebSecurityConfig extends WebMvcConfigurationSupport {

    @Bean

    public ServletContextInitializer servletContextInitializer() {

        return servletContext -> {

            servletContext.setSessionTrackingModes(Collections.singleton(SessionTrackingMode.COOKIE));

            SessionCookieConfig sessionCookieConfig=servletContext.getSessionCookieConfig();

            sessionCookieConfig.setHttpOnly(true);

        };

    }

}

package org.springframework.boot.web.servlet;

import javax.servlet.ServletContext;

import javax.servlet.ServletException;

@FunctionalInterface

public interface ServletContextInitializer {

    void onStartup(ServletContext servletContext) throws ServletException;

}