在启动类中继承SpringBootServletInitializer,然后重写这个方法
public void onStartup(ServletContext servletContext) throws ServletException {
super.onStartup(servletContext);
// This will set to use COOKIE only
servletContext.setSessionTrackingModes(
Collections.singleton(SessionTrackingMode.COOKIE)
);
// This will prevent any JS on the page from accessing the
// cookie - it will only be used/accessed by the HTTP transport
// mechanism in use
SessionCookieConfig sessionCookieConfig =
servletContext.getSessionCookieConfig();
sessionCookieConfig.setHttpOnly(true);
}