Spring Boot: RequestRejectedException: The request was rejected because the URL contained a potentially malicious String “;”

Question

I get the following exception when I POST the login credentials for my Spring Boot app.

org.springframework.security.web.firewall.RequestRejectedExcep

Answer 1

OK changing server.servlet.session.cookie.http-only=true to server.session.tracking-modes=cookie and changing http://localhost:8080 to http://127.0.0.1:8080/ worked. I found this answer:

Chrome localhost cookie not being set

It seems Chrome keeps flipping from allowing localhost to disallowing localhost. It was working about a month or three ago. localhost is working for a Rails app and Chrome is sending the cookies.

In fact, Chrome is also sending the _mt_rails_session Rails cookie for localhost to the Spring Boot app, but never the JSESSIONID cookie.

I suspect, but have not confirmed, it may be due to setting up HTTPS on port 8080 for an unrelated 3rd Spring Boot app, and there may be some HSTS setting cached in Chrome internals. It's probably a bug in Chrome.