Cookies not set in certain responses

Hi all,

our application (based on Vaadin and Grails) is secured by Spring Security using the customized Vaadin LoginForm for username/password entry which works quite nicely. In order to resolve the remember-me functionality, we implemented the HttpServletRequestListener on our Vaadin application as mentioned in the Book of Vaadin (
). A LoginController then is called by the LoginForm and performs the authentication stuff using spring security. To be able to write a cookie in the onRequestEnd method of the vaadin application, the login controller sets a flag (loginResult) on the vaadin application. If the flag is set, the vaadin application writes a cookie into the http response (see snippet below).

However, this only works if the cookie is written into the response of the page render request. The login process contains two requests: The first one is the submit request of the LoginForm and the second one is the page render request triggered by vaadin upon UI component changes. If the cookie is written into the response of the submit request, the cookie never reaches the browser. On the other hand, if the cookie is written into the page render response, it appears correctly in the browser registry.

Now, the current solution writes the cookie into every following response, which is not a clean solution, but works. Does someone have an idea, why it is not possible to write cookies in any response?

  public void onRequestEnd(HttpServletRequest request,
  HttpServletResponse response)
    // set or delete remember me cookie if needed
    if (loginResult != null) {
      TokenBasedRememberMeServices rememberMeServices = getBean(TokenBasedRememberMeServices.class)
      switch (loginResult)
        case LoginResult.LOGIN_SUCCESS:
          // write remember me cookie
          rememberMeServices.loginSuccess(request, response, SecurityContextHolder.getContext().getAuthentication())

        case LoginResult.LOGIN_FAILED:
          // delete remember me cookie
          rememberMeServices.loginFail(request, response)

        case LoginResult.LOGOUT:
          // delete remember me cookie
          rememberMeServices.logout(request, response, null)
          autoLoginAllowed = false

      // The loginResult flag should be reset in order not to write the cookie multiple time but since this does not work in 
      // every request, the workaround does not reset the flag and updates the cookie in every response.
      //        loginResult = null 

Btw: I’m aware of the thread in which the cookie stuff is discussed in detail (
) and also of the BrowserCookies addin, but since we have to perform the auto-login before the app is initialized, this doesn’t seem to be the proper solution for us.

Thanks in advance,