Plugins You can find out about all the publicly available Grails plugins.

Cookie Session Plugin

2 votes
compile "org.grails.plugins:cookie-session:2.0.18"

 Documentation  Source


The Cookie Session plugin enables grails applications to store session data in http cookies between requests instead of in memory on the server. This allows application deployments to be more stateless which supports simplified scaling architectures and fault tolerance.


  compile ':cookie-session:2.0.16'


*Cookie Session for Grails 3.x is available from:

the full documentation is here

Grails 2.3.0 Note If you're using Grails 2.3.0, you'll also need to add the webxml plugin to your project as follows:

   compile ':webxml:1.4.1'

Release History


  • reverted behavior of creating minimal number of cookies to avoid corrupt cookied being created during asynchronous calls to the server
  • reverted behavior of creating session as late as possible when springsecurity is being used. this guarantees that a session is available for users credentials to be stored in
  • updated plugin to remove dependency on Configuration holder and make it compatible with Grails 2.4.x
  • removing unused import of hibernate class dependency, fixes tomcat7
  • minor bug fix. httpOnly was being set on cookies regardless of servlet version resulting in a null ref exception if servlet version is 2.5.
  • added overrides for HttpServletReponse.sendError so that session is written before the response is committed
  • added support for grails spring security plugin 2.0
  • NOTE: if you're using spring security 2.0+ set
grails.plugin.springsecurity.useSessionFixationPrevention = false

2.0.13 (bug fixes to 2.0.12)

  • fixed issue detecting changes to sessioncookieconfig
  • fixed issue with handling byte arrays assigned to secret
  • upgraded kryo-serializes dependency to 0.26
  • expanded encryption algorithm support for non-ECB ciphers
  • expanded cookie configuration options
  • added support for servlet 3.0 SessionCookieConfig
  • optimized cookies transfered to client to ensure that empty cookies aren't sent
  • added setsecure config option to support secure cookies. Secure cookies are only sent over secure connections.
  • updated kryo libraries to latest version (kryo 2.21 and kryo serializers 0.23)
  • removed dependencies on spring security libraries. Any dependency on a spring security class is handled with reflection in order to direct dependencies.
  • improved kryo serialization support for spring security related classes
  • removed @Log4j annotations so its compatible with older versions of groovy
  • session are now only created when they are needed (Thanks Julien!)
  • added spring security compatibility mode
  • updated kryo serializer configuration to handle common grails objects
  • added SessionSerializer interface for incorporating custom serializers in plugin
  • resolved critical bug involving cookie sessions being evenly divisible by the number of paritions (cookies) the session is split over. (Thanks Reginald!)
  • fixed bugs that prevented cookie-sessions from working with Jetty. The issue was found while attempting to deploy a a grails app to Heroku. (Thanks Paul!)
  • added support for the kryo serializer. significantly reduces the size of the cookies. (Thanks Lukas from Berlin!)
  • fixed issue with how plugin handles sessions that can't be recovered from cookies
  • raises exception when serialized session exceeds max storage space available in cookies
  • added SessionPersistenceListener interface to allow client code to inspect session after its recovered and before its serialized
  • added ExceptionCondenser (enabled with config setting) which replaces exception instances with the exception's message in the session. This helps to prevent the session storage from overflowing when libraries attempt to store exceptions in the session.
  • fixed issue with controller redirects. Session now gets written when the status on the HttpServletResponse is set.
  • fixed issue with secret. when secret isn't specified, cookie-session not generates keys that are compatible with the crypto algorithm, regardless of which algorithm is specified.
  • secret can now be specified in the config file as either an array of bytes or a string
  • first release of version 2.0