Spring Session provides an API and implementations for managing a user’s session information.
Introduction
Spring Session provides an API and implementations for managing a user’s session information. It also provides transparent integration with:
- 
HttpSession - allows replacing the HttpSession in an application container (i.e. Tomcat) neutral way. Additional features include: - 
Clustered Sessions - Spring Session makes it trivial to support clustered sessions without being tied to an application container specific solution. 
- 
Multiple Browser Sessions - Spring Session supports managing multiple users' sessions in a single browser instance (i.e. multiple authenticated accounts similar to Google). 
- 
RESTful APIs - Spring Session allows providing session ids in headers to work with RESTful APIs 
 
- 
- 
WebSocket - provides the ability to keep the HttpSessionalive when receiving WebSocket messages
What’s New in 1.1
Below are the highlights of what is new in Spring Session 1.1. You can find a complete list of what’s new in 1.1.0 M1, 1.1.0 RC1, and 1.1.0 by referring to the changelog.
- 
#148 - Added GemFire Support 
- 
#4 - Add HttpSessionListener support 
- 
#283 - Allow override default RedisSerializer
- 
#277 - Added @EnableHazelcastHttpSession 
- 
#271 - Performance improvements 
- 
#218 - Allow scoping the session in Redis using redisNamespace 
- 
#273 - Allow writing to Redis immediately (instead of lazily) using redisFlushMode 
- 
#272 - Add ExpiringSession.setLastAccessedTime(long)
- 
#349 - Added Gitter Room for discussing Spring Session 
- 
#388 - Support Spring Framework WebSockets 
Samples and Guides (Start Here)
If you are looking to get started with Spring Session, the best place to start is our Sample Applications.
| Source | Description | Guide | 
|---|---|---|
| Demonstrates how to use Spring Session to replace the  | ||
| Demonstrates how to use Spring Session to replace the  | ||
| Demonstrates how to use Spring Session to replace the  | ||
| Demonstrates how to use Spring Session to replace the  | ||
| Demonstrates how to use Spring Session to replace the  | ||
| Demonstrates how to use Spring Session to replace the  | ||
| Demonstrates how to use Spring Session and customize the cookie. | ||
| Demonstrates how to use Spring Session with Spring Boot. | ||
| Demonstrates how to use Spring Session with an existing Spring Security application. | ||
| Demonstrates how to use Spring Session in a REST application to support authenticating with a header. | ||
| Demonstrates how to use Spring Session to find sessions by username. | ||
| Demonstrates how to use Spring Session to manage multiple simultaneous browser sessions (i.e Google Accounts). | ||
| Demonstrates how to use Spring Session with WebSockets. | ||
| Demonstrates how to use Spring Session with Hazelcast. | TBD | |
| Demonstrates how to use Spring Session and Hazelcast with an existing Spring Security application. | 
HttpSession Integration
Spring Session provides transparent integration with HttpSession.
This means that developers can switch the HttpSession implementation out with an implementation that is backed by Spring Session.
Why Spring Session & HttpSession?
We have already mentioned that Spring Session provides transparent integration with HttpSession, but what benefits do we get out of this?
- 
Clustered Sessions - Spring Session makes it trivial to support clustered sessions without being tied to an application container specific solution. 
- 
Multiple Browser Sessions - Spring Session supports managing multiple users' sessions in a single browser instance (i.e. multiple authenticated accounts similar to Google). 
- 
RESTful APIs - Spring Session allows providing session ids in headers to work with RESTful APIs 
HttpSession with Redis
Using Spring Session with HttpSession is enabled by adding a Servlet Filter before anything that uses the HttpSession.
You can choose from enabling this using either:
Redis Java Based Configuration
This section describes how to use Redis to back HttpSession using Java based configuration.
| The HttpSession Sample provides a working sample on how to integrate Spring Session and HttpSessionusing XML configuration.
You can read the basic steps for integration below, but you are encouraged to follow along with the detailed HttpSession Guide when integrating with your own application. | 
Spring Java Configuration
After adding the required dependencies, we can create our Spring configuration.
The Spring configuration is responsible for creating a Servlet Filter that replaces the HttpSession implementation with an implementation backed by Spring Session.
Add the following Spring Configuration:
@EnableRedisHttpSession (1)
public class Config {
        @Bean
        public JedisConnectionFactory connectionFactory() {
                return new JedisConnectionFactory(); (2)
        }
}| 1 | The @EnableRedisHttpSessionannotation creates a Spring Bean with the name ofspringSessionRepositoryFilterthat implements Filter.
The filter is what is in charge of replacing theHttpSessionimplementation to be backed by Spring Session.
In this instance Spring Session is backed by Redis. | 
| 2 | We create a RedisConnectionFactorythat connects Spring Session to the Redis Server.
We configure the connection to connect to localhost on the default port (6379)
For more information on configuring Spring Data Redis, refer to the reference documentation. | 
Java Servlet Container Initialization
Our Spring Configuration created a Spring Bean named springSessionRepositoryFilter that implements Filter.
The springSessionRepositoryFilter bean is responsible for replacing the HttpSession with a custom implementation that is backed by Spring Session.
In order for our Filter to do its magic, Spring needs to load our Config class.
Last we need to ensure that our Servlet Container (i.e. Tomcat) uses our springSessionRepositoryFilter for every request.
Fortunately, Spring Session provides a utility class named AbstractHttpSessionApplicationInitializer both of these steps extremely easy.
You can find an example below:
public class Initializer
                extends AbstractHttpSessionApplicationInitializer { (1)
        public Initializer() {
                super(Config.class); (2)
        }
}| The name of our class (Initializer) does not matter. What is important is that we extend AbstractHttpSessionApplicationInitializer. | 
| 1 | The first step is to extend AbstractHttpSessionApplicationInitializer.
This ensures that the Spring Bean by the namespringSessionRepositoryFilteris registered with our Servlet Container for every request. | 
| 2 | AbstractHttpSessionApplicationInitializeralso provides a mechanism to easily ensure Spring loads ourConfig. | 
Redis XML Based Configuration
This section describes how to use Redis to back HttpSession using XML based configuration.
| The HttpSession XML Sample provides a working sample on how to integrate Spring Session and HttpSessionusing XML configuration.
You can read the basic steps for integration below, but you are encouraged to follow along with the detailed HttpSession XML Guide when integrating with your own application. | 
Spring XML Configuration
After adding the required dependencies, we can create our Spring configuration.
The Spring configuration is responsible for creating a Servlet Filter that replaces the HttpSession implementation with an implementation backed by Spring Session.
Add the following Spring Configuration:
(1)
<context:annotation-config/>
<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration"/>
(2)
<bean class="org.springframework.data.redis.connection.jedis.JedisConnectionFactory"/>| 1 | We use the combination of <context:annotation-config/>andRedisHttpSessionConfigurationbecause Spring Session does not yet provide XML Namespace support (see gh-104).
This creates a Spring Bean with the name ofspringSessionRepositoryFilterthat implements Filter.
The filter is what is in charge of replacing theHttpSessionimplementation to be backed by Spring Session.
In this instance Spring Session is backed by Redis. | 
| 2 | We create a RedisConnectionFactorythat connects Spring Session to the Redis Server.
We configure the connection to connect to localhost on the default port (6379)
For more information on configuring Spring Data Redis, refer to the reference documentation. | 
XML Servlet Container Initialization
Our Spring Configuration created a Spring Bean named springSessionRepositoryFilter that implements Filter.
The springSessionRepositoryFilter bean is responsible for replacing the HttpSession with a custom implementation that is backed by Spring Session.
In order for our Filter to do its magic, we need to instruct Spring to load our session.xml configuration.
We do this with the following configuration:
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring/*.xml
    </param-value>
</context-param>
<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>The ContextLoaderListener reads the contextConfigLocation and picks up our session.xml configuration.
Last we need to ensure that our Servlet Container (i.e. Tomcat) uses our springSessionRepositoryFilter for every request.
The following snippet performs this last step for us:
<filter>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>The DelegatingFilterProxy will look up a Bean by the name of springSessionRepositoryFilter and cast it to a Filter.
For every request that DelegatingFilterProxy is invoked, the springSessionRepositoryFilter will be invoked.
HttpSession with Pivotal GemFire
When Pivotal GemFire is used with Spring Session, a web application’s
HttpSession can be replaced with a clustered implementation managed by GemFire and conveniently accessed
with Spring Session’s API.
The two most common topologies to manage Spring Sessions using GemFire include:
Additionally, GemFire supports site-to-site replication using WAN functionality. The ability to configure and use GemFire’s WAN support is independent of Spring Session, and is beyond the scope of this document. More details on GemFire WAN functionality can be found here.
GemFire Client-Server
The Client-Server topology will probably be the more common configuration preference for users when using GemFire as a provider in Spring Session since a GemFire server will have significantly different and unique JVM heap requirements when compared to the application. Using a client-server topology enables an application to manage (e.g. replicate) application state independently from other application processes.
In a client-server topology, an application using Spring Session will open a client cache connection to a (remote)
GemFire server cluster to manage and provide consistent access to all HttpSession state.
You can configure a Client-Server topology with either:
GemFire Client-Server Java-based Configuration
This section describes how to use GemFire’s Client-Server topology to back an HttpSession with Java-based configuration.
| The HttpSession with GemFire (Client-Server) Sample provides a working sample on how to integrate Spring Session and GemFire to replace the HttpSession using Java configuration. You can read the basic steps for integration below, but you are encouraged to follow along with the detailed HttpSession with GemFire (Client-Server) Guide when integrating with your own application. | 
Spring Java Configuration
After adding the required dependencies and repository declarations, we can create our Spring configuration.
The Spring configuration is responsible for creating a Servlet Filter that replaces the HttpSession
with an implementation backed by Spring Session and GemFire.
Add the following Spring Configuration:
@EnableGemFireHttpSession(maxInactiveIntervalInSeconds = 30) (1)
public class ClientConfig {
        static final long DEFAULT_WAIT_DURATION = TimeUnit.SECONDS.toMillis(20);
        static final long DEFAULT_WAIT_INTERVAL = 500l;
        static final CountDownLatch latch = new CountDownLatch(1);
        static {
                System.setProperty("gemfire.log-level",
                        System.getProperty("sample.httpsession.gemfire.log-level", "warning"));
                ClientMembership.registerClientMembershipListener(
                        new ClientMembershipListenerAdapter() {
                                public void memberJoined(ClientMembershipEvent event) {
                                        if (!event.isClient()) {
                                                latch.countDown();
                                        }
                                }
                });
        }
        @Bean
        PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() {
                return new PropertySourcesPlaceholderConfigurer();
        }
        @Bean
        Properties gemfireProperties() { (2)
                return new Properties();
        }
        @Bean(name = GemfireConstants.DEFAULT_GEMFIRE_POOL_NAME)
        PoolFactoryBean gemfirePool( (3)
                        @Value("${spring.session.data.gemfire.port:"+ServerConfig.SERVER_PORT+"}") int port) {
                PoolFactoryBean poolFactory = new PoolFactoryBean();
                poolFactory.setName(GemfireConstants.DEFAULT_GEMFIRE_POOL_NAME);
                poolFactory.setFreeConnectionTimeout(5000); // 5 seconds
                poolFactory.setKeepAlive(false);
                poolFactory.setMaxConnections(ServerConfig.MAX_CONNECTIONS);
                poolFactory.setPingInterval(TimeUnit.SECONDS.toMillis(5));
                poolFactory.setReadTimeout(2000); // 2 seconds
                poolFactory.setRetryAttempts(2);
                poolFactory.setSubscriptionEnabled(true);
                poolFactory.setThreadLocalConnections(false);
                poolFactory.setServerEndpoints(Collections.singletonList(new ConnectionEndpoint(
                        ServerConfig.SERVER_HOSTNAME, port)));
                return poolFactory;
        }
        @Bean
        ClientCacheFactoryBean gemfireCache(Pool gemfirePool) { (4)
                ClientCacheFactoryBean clientCacheFactory = new ClientCacheFactoryBean();
                clientCacheFactory.setClose(true);
                clientCacheFactory.setProperties(gemfireProperties());
                clientCacheFactory.setPool(gemfirePool);
                clientCacheFactory.setUseBeanFactoryLocator(false);
                return clientCacheFactory;
        }
        @Bean
        BeanPostProcessor gemfireCacheServerReadyBeanPostProcessor( (5)
                        @Value("${spring.session.data.gemfire.port:"+ServerConfig.SERVER_PORT+"}") final int port) {
                return new BeanPostProcessor() {
                        public Object postProcessBeforeInitialization(
                                        Object bean, String beanName) throws BeansException {
                                if (bean instanceof PoolFactoryBean || bean instanceof Pool) {
                                        Assert.isTrue(waitForCacheServerToStart(ServerConfig.SERVER_HOSTNAME, port),
                                                String.format("GemFire Server failed to start [hostname: %1$s, port: %2$d]",
                                                        ServerConfig.SERVER_HOSTNAME, port));
                                }
                                return bean;
                        }
                        public Object postProcessAfterInitialization(
                                        Object bean, String beanName) throws BeansException {
                                if (bean instanceof PoolFactoryBean || bean instanceof Pool) {
                                        try {
                                                latch.await(DEFAULT_WAIT_DURATION,
                                                        TimeUnit.MILLISECONDS);
                                        }
                                        catch (InterruptedException e) {
                                                Thread.currentThread().interrupt();
                                        }
                                }
                                return bean;
                        }
                };
        }| 1 | The @EnableGemFireHttpSessionannotation creates a Spring bean namedspringSessionRepositoryFilterthat
implementsFilter. The filter is what replaces theHttpSessionwith an implementation backed by Spring Session.
In this instance, Spring Session is backed by GemFire. | 
| 2 | Next, we register a Propertiesbean that allows us to configure certain aspects of the GemFire client cache
using GemFire’s System properties. | 
| 3 | Then, we configure a Poolof client connections to talk to the GemFire Server in our Client/Server topology. In our
configuration, we have used sensible settings for timeouts, number of connections and so on. Also, thePoolhas been
configured to connect directly to a server. Learn more about variousPoolconfiguration settings from the
PoolFactory API. | 
| 4 | After configuring a Pool, we create an instance of the GemFire client cache using the GemFirePropertiesandPoolto communicate with the server and perform cache data access operations. | 
| 5 | Finally, we include a Spring BeanPostProcessorto block the client until our GemFire Server is up and running,
listening for and accepting client connections. | 
The gemfireCacheServerReadyBeanPostProcessor is necessary in order to coordinate the client and server in
an automated fashion during testing, but unnecessary in situations where the GemFire cluster is already presently
running, such as in production. This BeanPostProcessor implements 2 approaches to ensure our server has adequate
time to startup.
The first approach uses a timed wait, checking at periodic intervals to determine whether a client Socket connection
can be made to the server’s CacheServer endpoint.
The second approach uses a GemFire ClientMembershipListener
that will be notified when the client has successfully connected to the server. Once a connection has been established,
the listener releases the latch that the BeanPostProcessor will wait on (up to the specified timeout) in the
postProcessAfterInitialization callback to block the client. Either one of these approaches are sufficient
by themselves, but both are demonstrated here to illustrate how this might work and to give you ideas, or other options
in practice.
| In typical GemFire deployments, where the cluster includes potentially hundreds of GemFire data nodes (servers), it is more common for clients to connect to one or more GemFire Locators running in the cluster. A Locator passes meta-data to clients about the servers available, load and which servers have the client’s data of interest, which is particularly important for single-hop, direct data access. See more details about the Client/Server Topology in GemFire’s User Guide. | 
| For more information on configuring Spring Data GemFire, refer to the reference guide. | 
The @EnableGemFireHttpSession annotation enables a developer to configure certain aspects of both Spring Session
and GemFire out-of-the-box using the following attributes:
- 
maxInactiveIntervalInSeconds- controls HttpSession idle-timeout expiration (defaults to 30 minutes).
- 
regionName- specifies the name of the GemFire Region used to storeHttpSessionstate (defaults is "ClusteredSpringSessions").
- 
clientRegionShort- specifies GemFire data management policies with a GemFire ClientRegionShortcut (default isPROXY).
| It is important to note that the GemFire client Region name must match a server Region by the same name if
the client Region is a PROXYorCACHING_PROXY.  Names are not required to match if the client Region used to
store Spring Sessions isLOCAL, however, keep in mind that your session state will not be propagated to the server
and you lose all benefits of using GemFire to store and manage distributed, replicated session state information
in a cluster. | 
| serverRegionShortis ignored in a client/server cache configuration and only applies when a peer-to-peer (P2P) topology,
and more specifically, a GemFire peer cache is used. | 
Server Configuration
Now, we have only covered one side of the equation. We also need a GemFire Server for our client to talk to and pass session state up to the server to manage.
In this sample, we will use the following GemFire Server Java Configuration:
@EnableGemFireHttpSession(maxInactiveIntervalInSeconds = 30)(1)
public class ServerConfig {
        static final int MAX_CONNECTIONS = 50;
        static final int SERVER_PORT = 12480;
        static final String SERVER_HOSTNAME = "localhost";
        @Bean
        PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() {
                return new PropertySourcesPlaceholderConfigurer();
        }
        @Bean
        Properties gemfireProperties() { (2)
                Properties gemfireProperties = new Properties();
                gemfireProperties.setProperty("name", "GemFireClientServerHttpSessionSample");
                gemfireProperties.setProperty("mcast-port", "0");
                gemfireProperties.setProperty("log-level",
                        System.getProperty("sample.httpsession.gemfire.log-level", "warning"));
                gemfireProperties.setProperty("jmx-manager", "true");
                gemfireProperties.setProperty("jmx-manager-start", "true");
                return gemfireProperties;
        }
        @Bean
        CacheFactoryBean gemfireCache() { (3)
                CacheFactoryBean gemfireCache = new CacheFactoryBean();
                gemfireCache.setProperties(gemfireProperties());
                gemfireCache.setUseBeanFactoryLocator(false);
                return gemfireCache;
        }
        @Bean
        CacheServerFactoryBean gemfireCacheServer(Cache gemfireCache, (4)
                        @Value("${spring.session.data.gemfire.port:"+SERVER_PORT+"}") int port) {
                CacheServerFactoryBean cacheServerFactory = new CacheServerFactoryBean();
                cacheServerFactory.setAutoStartup(true);
                cacheServerFactory.setBindAddress(SERVER_HOSTNAME);
                cacheServerFactory.setCache(gemfireCache);
                cacheServerFactory.setMaxConnections(MAX_CONNECTIONS);
                cacheServerFactory.setPort(port);
                return cacheServerFactory;
        }
        @SuppressWarnings("resource")
        public static void main(final String[] args) throws IOException { (5)
                new AnnotationConfigApplicationContext(ServerConfig.class)
                        .registerShutdownHook();
        }
}| 1 | On the server, we also configure Spring Session using the @EnableGemFireHttpSessionannotation. For one, this
ensures that the Region names on both the client and server match (in this sample, we use the default "ClusteredSpringSessions").
We have also set the session timeout to 30 seconds. Later, we will see how this timeout is used. | 
| 2 | Next, we configure the GemFire Server using GemFire System properties very much like our P2P samples.
With the mcast-portset to 0 and nolocatorsproperty specified, our server will be standalone. We also allow a
JMX client (e.g. Gfsh) to connect to our server with the use of the GemFire-specific JMX System properties. | 
| 3 | Then, we create an instance of the GemFire peer cache using our GemFire System properties. | 
| 4 | We also setup a GemFire CacheServerinstance running on localhost, listening on port 12480,
to accept our client connection. | 
| 5 | Finally, we declare a mainmethod as an entry point for launching and running our GemFire Server
from the command-line. | 
Java Servlet Container Initialization
Our Spring Java Configuration created a Spring bean named springSessionRepositoryFilter
that implements Filter. The springSessionRepositoryFilter bean is responsible for replacing the HttpSession
with a custom implementation backed by Spring Session and GemFire.
In order for our Filter to do its magic, Spring needs to load our ClientConfig class. We also need to ensure our
Servlet Container (i.e. Tomcat) uses our springSessionRepositoryFilter for every request. Fortunately, Spring Session
provides a utility class named AbstractHttpSessionApplicationInitializer to make both of these steps extremely easy.
You can find an example below:
public class Initializer
                extends AbstractHttpSessionApplicationInitializer { (1)
        public Initializer() {
                super(ClientConfig.class); (2)
        }
}| The name of our class ( Initializer) does not matter. What is important is that we extendAbstractHttpSessionApplicationInitializer. | 
| 1 | The first step is to extend AbstractHttpSessionApplicationInitializer.
This ensures that a Spring bean namedspringSessionRepositoryFilteris registered with our Servlet Container
and used for every request. | 
| 2 | AbstractHttpSessionApplicationInitializeralso provides a mechanism to easily allow Spring to load ourClientConfig. | 
GemFire Client-Server XML-based Configuration
This section describes how to use GemFire’s Client-Server topology to back an HttpSession with XML-based configuration.
| The HttpSession with GemFire (Client-Server) using XML Sample provides a working sample on how to
integrate Spring Session and GemFire to replace the HttpSessionusing XML configuration. You can read the basic steps
for integration below, but you are encouraged to follow along with the detailed HttpSession with GemFire (Client-Server)
using XML Guide when integrating with your own application. | 
Spring XML Configuration
After adding the required dependencies and repository declarations, we can create our Spring configuration.
The Spring configuration is responsible for creating a Servlet Filter that replaces the HttpSession
with an implementation backed by Spring Session and GemFire.
Add the following Spring Configuration:
        (1)
        <util:properties id="applicationProperties"
                     location="classpath:META-INF/spring/application.properties"/>
        (2)
        <context:property-placeholder properties-ref="applicationProperties"/>
        (3)
        <context:annotation-config/>
        (4)
        <bean class="org.springframework.session.data.gemfire.config.annotation.web.http.GemFireHttpSessionConfiguration"
          p:maxInactiveIntervalInSeconds="30"/>
        (5)
        <bean class="sample.GemFireCacheServerReadyBeanPostProcessor"/>
        (6)
        <util:properties id="gemfireProperties">
                <prop key="log-level">${sample.httpsession.gemfire.log-level:warning}</prop>
        </util:properties>
        (7)
        <gfe:pool free-connection-timeout="5000"
              keep-alive="false"
              ping-interval="5000"
              read-timeout="5000"
              retry-attempts="2"
              subscription-enabled="true"
              thread-local-connections="false"
              max-connections="${application.gemfire.client-server.max-connections}">
                <gfe:server host="${application.gemfire.client-server.host}"
                    port="${spring.session.data.gemfire.port:${application.gemfire.client-server.port}}"/>
        </gfe:pool>
        <gfe:client-cache properties-ref="gemfireProperties"
                      use-bean-factory-locator="false"/>| 1 | First, a Propertiesbean is created to reference GemFire configuration common to both the client and server,
stored in theMETA-INF/spring/application.propertiesfile. | 
| 2 | The application.propertiesare used along with thePropertySourcesPlaceholderConfigurerbean to replace
placeholders in the Spring XML configuration meta-data with property values. | 
| 3 | Spring annotation configuration support is enabled with <context:annotation-config/>element so that any
Spring beans declared in the XML config that are annotated with either Spring or Standard Java annotations supported
by Spring will be configured appropriately. | 
| 4 | GemFireHttpSessionConfigurationis registered to enable Spring Session functionality. | 
| 5 | Then, a Spring BeanPostProcessoris registered to determine whether a GemFire Server at the designated host/port
is running, blocking client startup until the server is available. | 
| 6 | Next, we include a Propertiesbean to configure certain aspects of the GemFire client cache using
GemFire’s System properties.
In this case, we are just setting GemFire’slog-levelfrom a sample application-specific System property, defaulting
towarningif unspecified. | 
| 7 | Finally, we create the GemFire client cache and configure a Pool of client connections to talk to the GemFire Server
in our Client/Server topology. In our configuration, we use sensible settings for timeouts, number of connections
and so on. Also, our Poolhas been configured to connect directly to a server. | 
| In typical GemFire deployments, where the cluster includes potentially hundreds of GemFire data nodes (servers), it is more common for clients to connect to one or more GemFire Locators running in the cluster. A Locator passes meta-data to clients about the servers available, load and which servers have the client’s data of interest, which is particularly important for single-hop, direct data access. See more details about the Client/Server Topology in GemFire’s User Guide. | 
| For more information on configuring Spring Data GemFire, refer to the reference guide. | 
Server Configuration
Now, we have only covered one side of the equation. We also need a GemFire Server for our client to talk to and pass session state information up to the server to manage.
In this sample, we will use the following GemFire Server Java Configuration:
        (1)
        <context:annotation-config/>
        (2)
        <context:property-placeholder location="classpath:META-INF/spring/application.properties"/>
        (3)
        <bean class="org.springframework.session.data.gemfire.config.annotation.web.http.GemFireHttpSessionConfiguration"
          p:maxInactiveIntervalInSeconds="30"/>
        (4)
        <util:properties id="gemfireProperties">
                <prop key="name">GemFireClientServerHttpSessionXmlSample</prop>
                <prop key="mcast-port">0</prop>
                <prop key="log-level">${sample.httpsession.gemfire.log-level:warning}</prop>
                <prop key="jmx-manager">true</prop>
                <prop key="jmx-manager-start">true</prop>
        </util:properties>
        (5)
        <gfe:cache properties-ref="gemfireProperties"
               use-bean-factory-locator="false"/>
        (6)
        <gfe:cache-server auto-startup="true"
                      bind-address="${application.gemfire.client-server.host}"
                      port="${spring.session.data.gemfire.port:${application.gemfire.client-server.port}}"
                      max-connections="${application.gemfire.client-server.max-connections}"/>| 1 | First, we enable Spring annotation config support with the <context:annotation-config>element so that any
Spring beans declared in the XML config that are annotated with either Spring or Standard Java annotations supported
by Spring will be configured appropriately. | 
| 2 | A PropertySourcesPlaceholderConfigureris registered to replace placeholders in our Spring XML configuration
meta-data with property values fromMETA-INF/spring/application.properties. | 
| 3 | We enable the same Spring Session functionality that we used on the client by registering an instance of GemFireHttpSessionConfiguration,
except that we set the session expiration timeout to 30 seconds. We will explain later what this means. | 
| 4 | Next, we configure the GemFire Server using GemFire System properties very much like our P2P samples.
With the mcast-portset to 0 and nolocatorsproperty specified, our server will be standalone. We also allow a
JMX client (e.g. Gfsh) to connect to our server with the use of the GemFire-specific JMX System properties. | 
| 5 | Then, we create an instance of the GemFire peer cache using our GemFire System properties. | 
| 6 | And finally, we also setup a GemFire CacheServerinstance running on localhost, listening on port 11235,
to accept our client connection. | 
The GemFire Server configuration gets bootstrapped with the following:
@Configuration (1)
@ImportResource("META-INF/spring/session-server.xml") (2)
public class Application {
        public static void main(final String[] args) {
                AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext(Application.class);
                context.registerShutdownHook();
        }
}| Instead of a simple Java class with a main method, you could also use Spring Boot. | 
| 1 | The @Configurationannotation designates this Java class as a source for Spring configuration meta-data using
Spring’s annotation configuration support. | 
| 2 | Primarily, the configuration comes from the META-INF/spring/session-server.xmlfile, which is also the reason
why Spring Boot was not used in this sample, since using XML seemingly defeats the purpose and benefits
of using Spring Boot. However, this sample is about demonstrating how to use Spring XML to configure
the GemFire client and server. | 
XML Servlet Container Initialization
Our Spring XML Configuration created a Spring bean named springSessionRepositoryFilter
that implements Filter. The springSessionRepositoryFilter bean is responsible for replacing the HttpSession with
a custom implementation that is backed by Spring Session and GemFire.
In order for our Filter to do its magic, we need to instruct Spring to load our session-client.xml configuration file.
We do this with the following configuration:
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring/session-client.xml
    </param-value>
</context-param>
<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>The ContextLoaderListener
reads the contextConfigLocation context parameter value and picks up our session-client.xml configuration file.
Finally, we need to ensure that our Servlet Container (i.e. Tomcat) uses our springSessionRepositoryFilter
for every request.
The following snippet performs this last step for us:
<filter>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>The DelegatingFilterProxy
will look up a bean by the name of springSessionRepositoryFilter and cast it to a Filter. For every request that DelegatingFilterProxy
is invoked, the springSessionRepositoryFilter will be invoked.
GemFire Peer-To-Peer (P2P)
Perhaps less common would be to configure the Spring Session application as a peer member in the GemFire cluster using the Peer-To-Peer (P2P) topology. In this configuration, a Spring Session application would be an actual data node (server) in the GemFire cluster, and not a cache client as before.
One advantage to this approach is the proximity of the application to the application’s state (i.e. it’s data). However, there are other effective means of accomplishing similar data dependent computations, such as using GemFire’s Function Execution. Any of GemFire’s other features can be used when GemFire is serving as a provider in Spring Session.
P2P is very useful for both testing purposes as well as smaller, more focused and self-contained applications, such as those found in a microservices architecture, and will most certainly improve on your application’s latency, throughput and consistency needs.
You can configure a Peer-To-Peer (P2P) topology with either:
GemFire Peer-To-Peer (P2P) Java-based Configuration
This section describes how to use GemFire’s Peer-To-Peer (P2P) topology to back an HttpSession using Java-based configuration.
| The HttpSession with GemFire (P2P) Sample provides a working sample on how to integrate
Spring Session and GemFire to replace the HttpSessionusing Java configuration. You can read the basic steps
for integration below, but you are encouraged to follow along with the detailed HttpSession with GemFire (P2P) Guide
when integrating with your own application. | 
Spring Java Configuration
After adding the required dependencies and repository declarations, we can create our Spring configuration.
The Spring configuration is responsible for creating a Servlet Filter that replaces the HttpSession
with an implementation backed by Spring Session and GemFire.
Add the following Spring Configuration:
@EnableGemFireHttpSession (1)
public class Config {
        @Bean
        Properties gemfireProperties() { (2)
                Properties gemfireProperties = new Properties();
                gemfireProperties.setProperty("name", "GemFireP2PHttpSessionSample");
                gemfireProperties.setProperty("mcast-port", "0");
                gemfireProperties.setProperty("log-level",
                        System.getProperty("sample.httpsession.gemfire.log-level", "warning"));
                gemfireProperties.setProperty("jmx-manager", "true");
                gemfireProperties.setProperty("jmx-manager-start", "true");
                return gemfireProperties;
        }
        @Bean
        CacheFactoryBean gemfireCache() { (3)
                CacheFactoryBean gemfireCache = new CacheFactoryBean();
                gemfireCache.setProperties(gemfireProperties());
                gemfireCache.setUseBeanFactoryLocator(false);
                return gemfireCache;
        }
}| 1 | The @EnableGemFireHttpSessionannotation creates a Spring bean namedspringSessionRepositoryFilterthat
implementsFilter. The filter is what replaces theHttpSessionwith an implementation backed by Spring Session.
In this instance, Spring Session is backed by GemFire. | 
| 2 | Then, we configure a GemFire peer cache using standard GemFire System properties.  We give the GemFire data node
a name using the nameproperty and setmcast-portto 0.  With the absence of alocatorsproperty, this data node
will be a standalone server. GemFire’slog-levelis set using an application-specific System property (sample.httpsession.gemfire.log-level)
that a user can specify on the command-line when running this sample application using either Maven or Gradle (default is "warning"). | 
| 3 | Finally, we create an instance of the GemFire peer cache that embeds GemFire in the same JVM process as the running Spring Session sample application. | 
| Additionally, we have configured this data node (server) as a GemFire Manager as well using GemFire-specific JMX System properties that enable JMX client (e.g. Gfsh) to connect to this running data node. | 
| For more information on configuring Spring Data GemFire, refer to the reference guide. | 
The @EnableGemFireHttpSession annotation enables a developer to configure certain aspects of Spring Session
and GemFire out-of-the-box using the following attributes:
- 
maxInactiveIntervalInSeconds- controls HttpSession idle-timeout expiration (defaults to 30 minutes).
- 
regionName- specifies the name of the GemFire Region used to storeHttpSessionstate (defaults is "ClusteredSpringSessions").
- 
serverRegionShort- specifies GemFire data management policies with a GemFire RegionShortcut (default isPARTITION).
| clientRegionShortis ignored in a peer cache configuration and only applies when a client-server topology,
and more specifically, a GemFire client cache is used. | 
Java Servlet Container Initialization
Our Spring Java Configuration created a Spring bean named springSessionRepositoryFilter
that implements Filter. The springSessionRepositoryFilter bean is responsible for replacing the HttpSession
with a custom implementation backed by Spring Session and GemFire.
In order for our Filter to do its magic, Spring needs to load our Config class. We also need to ensure our
Servlet Container (i.e. Tomcat) uses our springSessionRepositoryFilter for every request. Fortunately, Spring Session
provides a utility class named AbstractHttpSessionApplicationInitializer to make both of these steps extremely easy.
You can find an example below:
public class Initializer
                extends AbstractHttpSessionApplicationInitializer { (1)
        public Initializer() {
                super(Config.class); (2)
        }
}| The name of our class ( Initializer) does not matter. What is important is that we extendAbstractHttpSessionApplicationInitializer. | 
| 1 | The first step is to extend AbstractHttpSessionApplicationInitializer.
This ensures that a Spring bean namedspringSessionRepositoryFilteris registered with our Servlet Container
and used for every request. | 
| 2 | AbstractHttpSessionApplicationInitializeralso provides a mechanism to easily allow Spring to load ourConfig. | 
GemFire Peer-To-Peer (P2P) XML-based Configuration
This section describes how to use GemFire’s Peer-To-Peer (P2P) topology to back an HttpSession using XML-based configuration.
| The HttpSession with GemFire (P2P) using XML Sample provides a working sample on how to integrate
Spring Session and GemFire to replace the HttpSessionusing XML configuration. You can read the basic steps for
integration below, but you are encouraged to follow along with the detailed HttpSession with GemFire (P2P) using XML
Guide when integrating with your own application. | 
Spring XML Configuration
After adding the required dependencies and repository declarations, we can create our Spring configuration.
The Spring configuration is responsible for creating a Servlet Filter that replaces the HttpSession
with an implementation backed by Spring Session and GemFire.
Add the following Spring Configuration:
(1)
<context:annotation-config/>
<context:property-placeholder/>
<bean class="org.springframework.session.data.gemfire.config.annotation.web.http.GemFireHttpSessionConfiguration"/>
(2)
<util:properties id="gemfireProperties">
    <prop key="name">GemFireP2PHttpSessionXmlSample</prop>
    <prop key="mcast-port">0</prop>
    <prop key="log-level">${sample.httpsession.gemfire.log-level:warning}</prop>
    <prop key="jmx-manager">true</prop>
    <prop key="jmx-manager-start">true</prop>
</util:properties>
(3)
<gfe:cache properties-ref="gemfireProperties" use-bean-factory-locator="false"/>| 1 | We use the combination of <context:annotation-config/>andGemFireHttpSessionConfigurationbecause Spring Session
does not yet provide XML Namespace support (see gh-104).
This creates a Spring bean with the name ofspringSessionRepositoryFilterthat implementsFilter. The filter is what
replaces theHttpSessionwith an implementation backed by Spring Session.
In this instance, Spring Session is backed by GemFire. | 
| 2 | Then, we configure a GemFire peer cache using standard GemFire System properties.  We give the GemFire data node
a name using the nameproperty and setmcast-portto 0.  With the absence of alocatorsproperty, this data node
will be a standalone server. GemFire’slog-levelis set using an application-specific System property
(sample.httpsession.gemfire.log-level) that a user can specify on the command-line when running this application
using either Maven or Gradle (default is "warning"). | 
| 3 | Finally, we create an instance of the GemFire peer cache that embeds GemFire in the same JVM process as the running Spring Session sample application. | 
| Additionally, we have configured this data node (server) as a GemFire Manager as well using GemFire-specific JMX System properties that enable JMX client (e.g. Gfsh) to connect to this running data node. | 
| For more information on configuring Spring Data GemFire, refer to the reference guide. | 
XML Servlet Container Initialization
Our Spring XML Configuration created a Spring bean named springSessionRepositoryFilter
that implements Filter. The springSessionRepositoryFilter bean is responsible for replacing the HttpSession with
a custom implementation that is backed by Spring Session and GemFire.
In order for our Filter to do its magic, we need to instruct Spring to load our session.xml configuration file.
We do this with the following configuration:
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring/*.xml
    </param-value>
</context-param>
<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>The ContextLoaderListener
reads the contextConfigLocation context parameter value and picks up our session.xml configuration file.
Finally, we need to ensure that our Servlet Container (i.e. Tomcat) uses our springSessionRepositoryFilter
for every request.
The following snippet performs this last step for us:
<filter>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>The DelegatingFilterProxy
will look up a bean by the name of springSessionRepositoryFilter and cast it to a Filter. For every request that DelegatingFilterProxy
is invoked, the springSessionRepositoryFilter will be invoked.
How HttpSession Integration Works
Fortunately both HttpSession and HttpServletRequest (the API for obtaining an HttpSession) are both interfaces.
This means that we can provide our own implementations for each of these APIs.
| This section describes how Spring Session provides transparent integration with HttpSession. The intent is so that user’s can understand what is happening under the covers. This functionality is already integrated and you do NOT need to implement this logic yourself. | 
First we create a custom HttpServletRequest that returns a custom implementation of HttpSession.
It looks something like the following:
public class SessionRepositoryRequestWrapper extends HttpServletRequestWrapper {
        public SessionRepositoryRequestWrapper(HttpServletRequest original) {
                super(original);
        }
        public HttpSession getSession() {
                return getSession(true);
        }
        public HttpSession getSession(boolean createNew) {
                // create an HttpSession implementation from Spring Session
        }
        // ... other methods delegate to the original HttpServletRequest ...
}Any method that returns an HttpSession is overridden.
All other methods are implemented by HttpServletRequestWrapper and simply delegate to the original HttpServletRequest implementation.
We replace the HttpServletRequest implementation using a servlet Filter called SessionRepositoryFilter.
The pseudocode can be found below:
public class SessionRepositoryFilter implements Filter {
        public doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
                HttpServletRequest httpRequest = (HttpServletRequest) request;
                SessionRepositoryRequestWrapper customRequest =
                        new SessionRepositoryRequestWrapper(httpRequest);
                chain.doFilter(customRequest, response, chain);
        }
        // ...
}By passing in a custom HttpServletRequest implementation into the FilterChain we ensure that anything invoked after our Filter uses the custom HttpSession implementation.
This highlights why it is important that Spring Session’s SessionRepositoryFilter must be placed before anything that interacts with the HttpSession.
Multiple HttpSessions in Single Browser
Spring Session has the ability to support multiple sessions in a single browser instance. This provides the ability to support authenticating with multiple users in the same browser instance (i.e. Google Accounts).
| The Manage Multiple Users Guide provides a complete working example of managing multiple users in the same browser instance. You can follow the basic steps for integration below, but you are encouraged to follow along with the detailed Manage Multiple Users Guide when integrating with your own application. | 
Let’s take a look at how Spring Session keeps track of multiple sessions.
Managing a Single Session
Spring Session keeps track of the HttpSession by adding a value to a cookie named SESSION.
For example, the SESSION cookie might have a value of:
7e8383a4-082c-4ffe-a4bc-c40fd3363c5e
Adding a Session
We can add another session by requesting a URL that contains a special parameter in it. By default the parameter name is _s. For example, the following URL would create a new session:
| The parameter value does not indicate the actual session id. This is important because we never want to allow the session id to be determined by a client to avoid session fixation attacks. Additionally, we do not want the session id to be leaked since it is sent as a query parameter. Remember sensitive information should only be transmitted as a header or in the body of the request. | 
Rather than creating the URL ourselves, we can utilize the HttpSessionManager to do this for us.
We can obtain the HttpSessionManager from the HttpServletRequest using the following:
HttpSessionManager sessionManager =
        (HttpSessionManager) httpRequest.getAttribute(HttpSessionManager.class.getName());We can now use it to create a URL to add another session.
String addAlias = unauthenticatedAlias == null ? (1)
        sessionManager.getNewSessionAlias(httpRequest) : (2)
        unauthenticatedAlias; (3)
String addAccountUrl = sessionManager.encodeURL(contextPath, addAlias); (4)| 1 | We have an existing variable named unauthenticatedAlias.
The value is an alias that points to an existing unauthenticated session.
If no such session exists, the value is null.
This ensures if we have an existing unauthenticated session that we use it instead of creating a new session. | 
| 2 | If all of our sessions are already associated to a user, we create a new session alias. | 
| 3 | If there is an existing session that is not associated to a user, we use its session alias. | 
| 4 | Finally, we create the add account URL. The URL contains a session alias that either points to an existing unauthenticated session or is an alias that is unused thus signaling to create a new session associated to that alias. | 
Now our SESSION cookie looks something like this:
0 7e8383a4-082c-4ffe-a4bc-c40fd3363c5e 1 1d526d4a-c462-45a4-93d9-84a39b6d44ad
Such that:
- 
There is a session with the id 7e8383a4-082c-4ffe-a4bc-c40fd3363c5e - 
The alias for this session is 0. For example, if the URL is http://localhost:8080/?_s=0 this alias would be used. 
- 
This is the default session. This means that if no session alias is specified, then this session is used. For example, if the URL is http://localhost:8080/ this session would be used. 
 
- 
- 
There is a session with the id 1d526d4a-c462-45a4-93d9-84a39b6d44ad - 
The alias for this session is 1. If the session alias is 1, then this session is used. For example, if the URL is http://localhost:8080/?_s=1 this alias would be used. 
 
- 
Automatic Session Alias Inclusion with encodeURL
The nice thing about specifying the session alias in the URL is that we can have multiple tabs open with different active sessions. The bad thing is that we need to include the session alias in every URL of our application. Fortunately, Spring Session will automatically include the session alias in any URL that passes through HttpServletResponse#encodeURL(java.lang.String)
This means that if you are using standard tag libraries the session alias is automatically included in the URL. For example, if we are currently using the session with the alias of 1, then the following:
  -->
<c:url value="/link.jsp" var="linkUrl"/>
<a id="navLink" href="${linkUrl}">Link</a>will output a link of:
<a id="navLink" href="/link.jsp?_s=1">Link</a>HttpSession & RESTful APIs
Spring Session can work with RESTful APIs by allowing the session to be provided in a header.
| The REST Sample provides a working sample on how to use Spring Session in a REST application to support authenticating with a header. You can follow the basic steps for integration below, but you are encouraged to follow along with the detailed REST Guide when integrating with your own application. | 
Spring Configuration
After adding the required dependencies, we can create our Spring configuration.
The Spring configuration is responsible for creating a Servlet Filter that replaces the HttpSession implementation with an implementation backed by Spring Session.
Add the following Spring Configuration:
@Configuration
@EnableRedisHttpSession (1)
public class HttpSessionConfig {
        @Bean
        public JedisConnectionFactory connectionFactory() {
                return new JedisConnectionFactory();  (2)
        }
        @Bean
        public HttpSessionStrategy httpSessionStrategy() {
                return new HeaderHttpSessionStrategy(); (3)
        }
}| 1 | The @EnableRedisHttpSessionannotation creates a Spring Bean with the name ofspringSessionRepositoryFilterthat implementsFilter.
The filter is what is in charge of replacing theHttpSessionimplementation to be backed by Spring Session.
In this instance Spring Session is backed by Redis. | 
| 2 | We create a RedisConnectionFactorythat connects Spring Session to the Redis Server.
We configure the connection to connect to localhost on the default port (6379)
For more information on configuring Spring Data Redis, refer to the reference documentation. | 
| 3 | We customize Spring Session’s HttpSession integration to use HTTP headers to convey the current session information instead of cookies. | 
Servlet Container Initialization
Our Spring Configuration created a Spring Bean named springSessionRepositoryFilter that implements Filter.
The springSessionRepositoryFilter bean is responsible for replacing the HttpSession with a custom implementation that is backed by Spring Session.
In order for our Filter to do its magic, Spring needs to load our Config class. We provide the configuration in our Spring MvcInitializer as shown below:
@Override
protected Class<?>[] getRootConfigClasses() {
    return new Class[] {SecurityConfig.class, HttpSessionConfig.class};
}Last we need to ensure that our Servlet Container (i.e. Tomcat) uses our springSessionRepositoryFilter for every request.
Fortunately, Spring Session provides a utility class named AbstractHttpSessionApplicationInitializer that makes this extremely easy. Simply extend the class with the default constructor as shown below:
public class Initializer extends AbstractHttpSessionApplicationInitializer {
}| The name of our class (Initializer) does not matter. What is important is that we extend AbstractHttpSessionApplicationInitializer. | 
HttpSessionListener
Spring Session supports HttpSessionListener by translating SessionDestroyedEvent and SessionCreatedEvent into HttpSessionEvent by declaring SessionEventHttpSessionListenerAdapter.
To use this support, you need to:
- 
Ensure your SessionRepositoryimplementation supports and is configured to fireSessionDestroyedEventandSessionCreatedEvent.
- 
Configure SessionEventHttpSessionListenerAdapteras a Spring bean.
- 
Inject every HttpSessionListenerinto theSessionEventHttpSessionListenerAdapter
If you are using the configuration support documented in HttpSession with Redis, then all you need to do is register every HttpSessionListener as a bean.
For example, assume you want to support Spring Security’s concurrency control and need to use HttpSessionEventPublisher you can simply add HttpSessionEventPublisher as a bean.
In Java configuration, this might look like:
@Configuration
@EnableRedisHttpSession
public class RedisHttpSessionConfig {
        @Bean
        public HttpSessionEventPublisher httpSessionEventPublisher() {
                return new HttpSessionEventPublisher();
        }
        // ...
}In XML configuration, this might look like:
<bean class="org.springframework.security.web.session.HttpSessionEventPublisher"/>WebSocket Integration
Spring Session provides transparent integration with Spring’s WebSocket support.
| Spring Session’s WebSocket support only works with Spring’s WebSocket support. Specifically it does not work with using JSR-356 directly. This is due to the fact that JSR-356 does not have a mechanism for intercepting incoming WebSocket messages. | 
Why Spring Session & WebSockets?
So why do we need Spring Session when using WebSockets?
Consider an email application that does much of its work through HTTP requests.
However, there is also a chat application embedded within it that works over WebSocket APIs.
If a user is actively chatting with someone, we should not timeout the HttpSession since this would be pretty poor user experience.
However, this is exactly what JSR-356 does.
Another issue is that according to JSR-356 if the HttpSession times out any WebSocket that was created with that HttpSession and an authenticated user should be forcibly closed.
This means that if we are actively chatting in our application and are not using the HttpSession, then we will also disconnect from our conversation!
WebSocket Usage
The WebSocket Sample provides a working sample on how to integrate Spring Session with WebSockets. You can follow the basic steps for integration below, but you are encouraged to follow along with the detailed WebSocket Guide when integrating with your own application:
HttpSession Integration
Before using WebSocket integration, you should be sure that you have HttpSession Integration working first.
Spring Configuration
In a typical Spring WebSocket application users would extend AbstractWebSocketMessageBrokerConfigurer.
For example, the configuration might look something like the following:
@Configuration
@EnableScheduling
@EnableWebSocketMessageBroker
public class WebSocketConfig
                extends AbstractWebSocketMessageBrokerConfigurer {
        public void registerStompEndpoints(StompEndpointRegistry registry) {
                registry.addEndpoint("/messages")
                                .withSockJS();
        }
        @Override
        public void configureMessageBroker(MessageBrokerRegistry registry) {
                registry.enableSimpleBroker("/queue/", "/topic/");
                registry.setApplicationDestinationPrefixes("/app");
        }
}We can easily update our configuration to use Spring Session’s WebSocket support. For example:
@Configuration
@EnableScheduling
@EnableWebSocketMessageBroker
public class WebSocketConfig
          extends AbstractSessionWebSocketMessageBrokerConfigurer<ExpiringSession> { (1)
        protected void configureStompEndpoints(StompEndpointRegistry registry) { (2)
                registry.addEndpoint("/messages")
                                .withSockJS();
        }
        public void configureMessageBroker(MessageBrokerRegistry registry) {
                registry.enableSimpleBroker("/queue/", "/topic/");
                registry.setApplicationDestinationPrefixes("/app");
        }
}To hook in the Spring Session support we only need to change two things:
| 1 | Instead of extending AbstractWebSocketMessageBrokerConfigurerwe extendAbstractSessionWebSocketMessageBrokerConfigurer | 
| 2 | We rename the registerStompEndpointsmethod toconfigureStompEndpoints | 
What does AbstractSessionWebSocketMessageBrokerConfigurer do behind the scenes?
- 
WebSocketConnectHandlerDecoratorFactoryis added as aWebSocketHandlerDecoratorFactorytoWebSocketTransportRegistration. This ensures a customSessionConnectEventis fired that contains theWebSocketSession. TheWebSocketSessionis necessary to terminate any WebSocket connections that are still open when a Spring Session is terminated.
- 
SessionRepositoryMessageInterceptoris added as aHandshakeInterceptorto everyStompWebSocketEndpointRegistration. This ensures that the Session is added to the WebSocket properties to enable updating the last accessed time.
- 
SessionRepositoryMessageInterceptoris added as aChannelInterceptorto our inboundChannelRegistration. This ensures that every time an inbound message is received, that the last accessed time of our Spring Session is updated.
- 
WebSocketRegistryListeneris created as a Spring Bean. This ensures that we have a mapping of all of the Session id to the corresponding WebSocket connections. By maintaining this mapping, we can close all the WebSocket connections when a Spring Session (HttpSession) is terminated.
API Documentation
You can browse the complete Javadoc online. The key APIs are described below:
Session
A Session is a simplified Map of name value pairs.
Typical usage might look like the following:
public class RepositoryDemo<S extends Session> {
    private SessionRepository<S> repository; (1)
    public void demo() {
        S toSave = repository.createSession(); (2)
        (3)
        User rwinch = new User("rwinch");
        toSave.setAttribute(ATTR_USER, rwinch);
        repository.save(toSave); (4)
        S session = repository.getSession(toSave.getId()); (5)
        (6)
        User user = session.getAttribute(ATTR_USER);
        assertThat(user).isEqualTo(rwinch);
    }
    // ... setter methods ...
}| 1 | We create a SessionRepositoryinstance with a generic type,S, that extendsSession. The generic type is defined in our class. | 
| 2 | We create a new Sessionusing ourSessionRepositoryand assign it to a variable of typeS. | 
| 3 | We interact with the Session. In our example, we demonstrate saving aUserto theSession. | 
| 4 | We now save the Session. This is why we needed the generic typeS. TheSessionRepositoryonly allows savingSessioninstances that were created or retrieved using the sameSessionRepository. This allows for theSessionRepositoryto make implementation specific optimizations (i.e. only writing attributes that have changed). | 
| 5 | We retrieve the Sessionfrom theSessionRepository. | 
| 6 | We obtain the persisted Userfrom ourSessionwithout the need for explicitly casting our attribute. | 
ExpiringSession
An ExpiringSession extends a Session by providing attributes related to the Session instance’s expiration.
If there is no need to interact with the expiration information, prefer using the more simple Session API.
Typical usage might look like the following:
public class ExpiringRepositoryDemo<S extends ExpiringSession> {
    private SessionRepository<S> repository; (1)
    public void demo() {
        S toSave = repository.createSession(); (2)
        // ...
        toSave.setMaxInactiveIntervalInSeconds(30); (3)
        repository.save(toSave); (4)
        S session = repository.getSession(toSave.getId()); (5)
        // ...
    }
    // ... setter methods ...
}| 1 | We create a SessionRepositoryinstance with a generic type,S, that extendsExpiringSession. The generic type is defined in our class. | 
| 2 | We create a new ExpiringSessionusing ourSessionRepositoryand assign it to a variable of typeS. | 
| 3 | We interact with the ExpiringSession.
In our example, we demonstrate updating the amount of time theExpiringSessioncan be inactive before it expires. | 
| 4 | We now save the ExpiringSession.
This is why we needed the generic typeS.
TheSessionRepositoryonly allows savingExpiringSessioninstances that were created or retrieved using the sameSessionRepository.
This allows for theSessionRepositoryto make implementation specific optimizations (i.e. only writing attributes that have changed).
The last accessed time is automatically updated when theExpiringSessionis saved. | 
| 5 | We retrieve the ExpiringSessionfrom theSessionRepository.
If theExpiringSessionwere expired, the result would be null. | 
SessionRepository
A SessionRepository is in charge of creating, retrieving, and persisting Session instances.
If possible, developers should not interact directly with a SessionRepository or a Session.
Instead, developers should prefer interacting with SessionRepository and Session indirectly through the HttpSession and WebSocket integration.
FindByIndexNameSessionRepository
Spring Session’s most basic API for using a Session is the SessionRepository.
This API is intentionally very simple, so that it is easy to provide additional implementations with basic functionality.
Some SessionRepository implementations may choose to implement FindByIndexNameSessionRepository also.
For example, Spring’s Redis support implements FindByIndexNameSessionRepository.
The FindByIndexNameSessionRepository adds a single method to look up all the sessions for a particular user.
This is done by ensuring that the session attribute with the name FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME is populated with the username.
It is the responsibility of the developer to ensure the attribute is populated since Spring Session is not aware of the authentication mechanism being used.
An example of how this might be used can be seen below:
String username = "username";
session.setAttribute(FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME, username);| Some implementations of  | 
Once the session is indexed, it can be found using the following:
String username = "username";
Map<String,Session> sessionIdToSession =
        sessionRepository.findByIndexNameAndIndexValue(FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME, username);EnableSpringHttpSession
The @EnableSpringHttpSession annotation can be added to an @Configuration class to expose the SessionRepositoryFilter as a bean named "springSessionRepositoryFilter".
In order to leverage the annotation, a single SessionRepository bean must be provided.
For example:
@EnableSpringHttpSession
@Configuration
public class SpringHttpSessionConfig {
        @Bean
        public MapSessionRepository sessionRepository() {
                return new MapSessionRepository();
        }
}It is important to note that no infrastructure for session expirations is configured for you out of the box. This is because things like session expiration are highly implementation dependent. This means if you require cleaning up expired sessions, you are responsible for cleaning up the expired sessions.
EnableHazelcastHttpSession
If you wish to use Hazelcast as your backing source for the SessionRepository, then the @EnableHazelcastHttpSession annotation
can be added to an @Configuration class. This extends the functionality provided by the @EnableSpringHttpSession annotation but makes the SessionRepository for you in Hazelcast.
You must provide a single HazelcastInstance bean for the configuration to work.
For example:
@EnableHazelcastHttpSession (1)
@Configuration
public class HazelcastHttpSessionConfig {
        @Bean
        public HazelcastInstance embeddedHazelcast() {
                Config hazelcastConfig = new Config();
                return Hazelcast.newHazelcastInstance(hazelcastConfig); (2)
        }
}This will configure Hazelcast in embedded mode with default configuration. See the Hazelcast documentation for detailed information on configuration options for Hazelcast.
Storage Details
Sessions will be stored in a distributed Map in Hazelcast using a MapSessionRepository.
The Map interface methods will be used to get() and put() Sessions.
The expiration of a session in the Map is handled by Hazelcast’s support for setting the time to live on an entry when it is put() into the Map. Entries (sessions) that have been idle longer than the time to live will be automatically removed from the Map.
You shouldn’t need to configure any settings such as max-idle-seconds or time-to-live-seconds for the Map within the Hazelcast configuration.
Basic Customization
You can use the following attributes on @EnableHazelcastHttpSession to customize the configuration:
- 
maxInactiveIntervalInSeconds - the amount of time before the session will expire in seconds. Default is 1800 seconds (30 minutes) 
- 
sessionMapName - the name of the distributed Mapthat will be used in Hazelcast to store the session data.
RedisOperationsSessionRepository
RedisOperationsSessionRepository is a SessionRepository that is implemented using Spring Data’s RedisOperations.
In a web environment, this is typically used in combination with SessionRepositoryFilter.
The implementation supports SessionDestroyedEvent and SessionCreatedEvent through SessionMessageListener.
Instantiating a RedisOperationsSessionRepository
A typical example of how to create a new instance can be seen below:
JedisConnectionFactory factory = new JedisConnectionFactory();
SessionRepository<? extends ExpiringSession> repository =
        new RedisOperationsSessionRepository(factory);For additional information on how to create a RedisConnectionFactory, refer to the Spring Data Redis Reference.
EnableRedisHttpSession
In a web environment, the simplest way to create a new RedisOperationsSessionRepository is to use @EnableRedisHttpSession.
Complete example usage can be found in the Samples and Guides (Start Here)
You can use the following attributes to customize the configuration:
- 
maxInactiveIntervalInSeconds - the amount of time before the session will expire in seconds 
- 
redisNamespace - allows configuring an application specific namespace for the sessions. Redis keys and channel ids will start with the prefix of spring:session:<redisNamespace>:.
- 
redisFlushMode - allows specifying when data will be written to Redis. The default is only when saveis invoked onSessionRepository. A value ofRedisFlushMode.IMMEDIATEwill write to Redis as soon as possible.
Redis TaskExecutor
RedisOperationsSessionRepository is subscribed to receive events from redis using a RedisMessageListenerContainer.
You can customize the way those events are dispatched, by creating a Bean named springSessionRedisTaskExecutor and/or a Bean springSessionRedisSubscriptionExecutor.
More details on configuring redis task executors can be found here.
Storage Details
The sections below outline how Redis is updated for each operation. An example of creating a new session can be found below. The subsequent sections describe the details.
HMSET spring:session:sessions:33fdd1b6-b496-4b33-9f7d-df96679d32fe creationTime 1404360000000 \ maxInactiveInterval 1800 \ lastAccessedTime 1404360000000 \ sessionAttr:attrName someAttrValue \ sessionAttr2:attrName someAttrValue2 EXPIRE spring:session:sessions:33fdd1b6-b496-4b33-9f7d-df96679d32fe 2100 APPEND spring:session:sessions:expires:33fdd1b6-b496-4b33-9f7d-df96679d32fe "" EXPIRE spring:session:sessions:expires:33fdd1b6-b496-4b33-9f7d-df96679d32fe 1800 SADD spring:session:expirations:1439245080000 expires:33fdd1b6-b496-4b33-9f7d-df96679d32fe EXPIRE spring:session:expirations1439245080000 2100
Saving a Session
Each session is stored in Redis as a Hash. Each session is set and updated using the HMSET command. An example of how each session is stored can be seen below.
HMSET spring:session:sessions:33fdd1b6-b496-4b33-9f7d-df96679d32fe creationTime 1404360000000 \ maxInactiveInterval 1800 \ lastAccessedTime 1404360000000 \ sessionAttr:attrName someAttrValue \ sessionAttr2:attrName someAttrValue2
In this example, the session following statements are true about the session:
- 
The session id is 33fdd1b6-b496-4b33-9f7d-df96679d32fe 
- 
The session was created at 1404360000000 in milliseconds since midnight of 1/1/1970 GMT. 
- 
The session expires in 1800 seconds (30 minutes). 
- 
The session was last accessed at 1404360000000 in milliseconds since midnight of 1/1/1970 GMT. 
- 
The session has two attributes. The first is "attrName" with the value of "someAttrValue". The second session attribute is named "attrName2" with the value of "someAttrValue2". 
Optimized Writes
The Session instances managed by RedisOperationsSessionRepository keeps track of the properties that have changed and only updates those.
This means if an attribute is written once and read many times we only need to write that attribute once.
For example, assume the session attribute "sessionAttr2" from earlier was updated.
The following would be executed upon saving:
HMSET spring:session:sessions:33fdd1b6-b496-4b33-9f7d-df96679d32fe sessionAttr:attrName2 newValue
Session Expiration
An expiration is associated to each session using the EXPIRE command based upon the ExpiringSession.getMaxInactiveInterval().
For example:
EXPIRE spring:session:sessions:33fdd1b6-b496-4b33-9f7d-df96679d32fe 2100
You will note that the expiration that is set is 5 minutes after the session actually expires. This is necessary so that the value of the session can be accessed when the session expires. An expiration is set on the session itself five minutes after it actually expires to ensure it is cleaned up, but only after we perform any necessary processing.
| The  | 
Spring Session relies on the delete and expired keyspace notifications from Redis to fire a SessionDeletedEvent and SessionExpiredEvent respectively.
It is the SessionDeletedEvent or SessionExpiredEvent that ensures resources associated with the Session are cleaned up.
For example, when using Spring Session’s WebSocket support the Redis expired or delete event is what triggers any WebSocket connections associated with the session to be closed.
Expiration is not tracked directly on the session key itself since this would mean the session data would no longer be available. Instead a special session expires key is used. In our example the expires key is:
APPEND spring:session:sessions:expires:33fdd1b6-b496-4b33-9f7d-df96679d32fe "" EXPIRE spring:session:sessions:expires:33fdd1b6-b496-4b33-9f7d-df96679d32fe 1800
When a session expires key is deleted or expires, the keyspace notification triggers a lookup of the actual session and a SessionDestroyedEvent is fired.
One problem with relying on Redis expiration exclusively is that Redis makes no guarantee of when the expired event will be fired if they key has not been accessed. Specifically the background task that Redis uses to clean up expired keys is a low priority task and may not trigger the key expiration. For additional details see Timing of expired events section in the Redis documentation.
To circumvent the fact that expired events are not guaranteed to happen we can ensure that each key is accessed when it is expected to expire. This means that if the TTL is expired on the key, Redis will remove the key and fire the expired event when we try to access they key.
For this reason, each session expiration is also tracked to the nearest minute. This allows a background task to access the potentially expired sessions to ensure that Redis expired events are fired in a more deterministic fashion. For example:
SADD spring:session:expirations:1439245080000 expires:33fdd1b6-b496-4b33-9f7d-df96679d32fe EXPIRE spring:session:expirations1439245080000 2100
The background task will then use these mappings to explicitly request each key. By accessing they key, rather than deleting it, we ensure that Redis deletes the key for us only if the TTL is expired.
| We do not explicitly delete the keys since in some instances there may be a race condition that incorrectly identifies a key as expired when it is not. Short of using distributed locks (which would kill our performance) there is no way to ensure the consistency of the expiration mapping. By simply accessing the key, we ensure that the key is only removed if the TTL on that key is expired. | 
SessionDeletedEvent and SessionExpiredEvent
SessionDeletedEvent and SessionExpiredEvent are both types of SessionDestroyedEvent.
RedisOperationsSessionRepository supports firing a SessionDeletedEvent whenever a Session is deleted or a SessionExpiredEvent when it expires.
This is necessary to ensure resources associated with the Session are properly cleaned up.
For example, when integrating with WebSockets the SessionDestroyedEvent is in charge of closing any active WebSocket connections.
Firing SessionDeletedEvent or SessionExpiredEvent is made available through the SessionMessageListener which listens to Redis Keyspace events.
In order for this to work, Redis Keyspace events for Generic commands and Expired events needs to be enabled.
For example:
redis-cli config set notify-keyspace-events EgxIf you are using @EnableRedisHttpSession the SessionMessageListener and enabling the necessary Redis Keyspace events is done automatically.
However, in a secured Redis enviornment the config command is disabled.
This means that Spring Session cannot configure Redis Keyspace events for you.
To disable the automatic configuration add ConfigureRedisAction.NO_OP as a bean.
For example, Java Configuration can use the following:
@Bean
public static ConfigureRedisAction configureRedisAction() {
    return ConfigureRedisAction.NO_OP;
}XML Configuraiton can use the following:
<util:constant
    static-field="org.springframework.session.data.redis.config.ConfigureRedisAction.NO_OP"/>SessionCreatedEvent
When a session is created an event is sent to Redis with the channel of spring:session:channel:created:33fdd1b6-b496-4b33-9f7d-df96679d32fe
such that 33fdd1b6-b496-4b33-9f7d-df96679d32fe is the session id. The body of the event will be the session that was created.
If registered as a MessageListener (default), then RedisOperationsSessionRepository will then translate the Redis message into a SessionCreatedEvent.
Viewing the Session in Redis
After installing redis-cli, you can inspect the values in Redis using the redis-cli. For example, enter the following into a terminal:
$ redis-cli
redis 127.0.0.1:6379> keys *
1) "spring:session:sessions:4fc39ce3-63b3-4e17-b1c4-5e1ed96fb021" (1)
2) "spring:session:expirations:1418772300000" (2)| 1 | The suffix of this key is the session identifier of the Spring Session. | 
| 2 | This key contains all the session ids that should be deleted at the time 1418772300000. | 
You can also view the attributes of each session.
redis 127.0.0.1:6379> hkeys spring:session:sessions:4fc39ce3-63b3-4e17-b1c4-5e1ed96fb021
1) "lastAccessedTime"
2) "creationTime"
3) "maxInactiveInterval"
4) "sessionAttr:username"
redis 127.0.0.1:6379> hget spring:session:sessions:4fc39ce3-63b3-4e17-b1c4-5e1ed96fb021 sessionAttr:username
"\xac\xed\x00\x05t\x00\x03rob"GemFireOperationsSessionRepository
GemFireOperationsSessionRepository is a SessionRepository that is implemented using Spring Data’s GemFireOperationsSessionRepository.
In a web environment, this is typically used in combination with SessionRepositoryFilter.
The implementation supports SessionDestroyedEvent and SessionCreatedEvent through SessionMessageListener.
Using Indexes with GemFire
While best practices concerning the proper definition of indexes that positively impact GemFire’s performance is beyond the scope of this document, it is important to realize that Spring Session Data GemFire creates and uses indexes to query and find Sessions efficiently.
Out-of-the-box, Spring Session Data GemFire creates 1 Hash-typed Index on the principal name. There are two different buit in
strategies for finding the principal name. The first strategy is that the value of the session attribute with the name
FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME will be indexed to the same index name. For example:
String indexName = FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME;
session.setAttribute(indexName, username);
Map<String,ExpiringSession> idToSessions = sessionRepository.findByIndexNameAndIndexValue(indexName, username);Using Indexes with GemFire & Spring Security
Alternatively, Spring Session Data GemFire will map Spring Security’s current Authentication#getName() to the index
FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME. For example, if you are using Spring Security you can
find the current user’s sessions using:
SecurityContext context = SecurityContextHolder.getContext();
Authentication authentication = context.getAuthentication();
String indexName = FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME;
Map<String,ExpiringSession> idToSessions = sessionRepository.findByIndexNameAndIndexValue(indexName, authentication.getName());Using Custom Indexes with GemFire
This enables developers using the GemFireOperationsSessionRepository programmatically to query and find all Sessions
with a given principal name efficiently.
Additionally, Spring Session Data GemFire will create a Range-based Index on the implementing Session’s Map-type
attributes property (i.e. on any arbitrary Session attribute) when a developer identifies 1 or more named Session
attributes that should be indexed by GemFire.
Sessions attributes to index can be specified with the indexableSessionAttributes attribute on the @EnableGemFireHttpSession
annotation.  A developer adds this annotation to their Spring application @Configuration class when s/he wishes to
enable Spring Session support for HttpSession backed by GemFire.
For example, the following configuration:
@EnableGemFireHttpSession(indexableSessionAttributes = { "name1", "name2", "name3" })
public class GemFireHttpSessionConfig {
        // ...
}will allow searching for sessions using the following:
String indexName = "name1";
session.setAttribute(indexName, attrValue);
Map<String,ExpiringSession> idToSessions = sessionRepository.findByIndexNameAndIndexValue(indexName, attrValue);| Only Session attribute names identified in the @EnableGemFireHttpSessionannotation’sindexableSessionAttributesattribute will have an Index defined.  All other Session attributes will not be indexed. | 
However, there is one caveat. Any values stored in indexable Session attributes must implement the java.lang.Comparable<T>
interface. If those object values do not implement Comparable, then GemFire will throw an error on startup when the
Index is defined for Regions with persistent Session data, or when an attempt is made at runtime to assign the indexable
Session attribute a value that is not Comparable and the Session is saved to GemFire.
| Any Session attribute that is not indexed may store non- Comparablevalues. | 
To learn more about GemFire’s Range-based Indexes, see Creating Indexes on Map Fields.
To learn more about GemFire Indexing in general, see Working with Indexes.
MapSessionRepository
The MapSessionRepository allows for persisting ExpiringSession in a Map with the key being the ExpiringSession id and the value being the ExpiringSession.
The implementation can be used with a ConcurrentHashMap as a testing or convenience mechanism.
Alternatively, it can be used with distributed Map implementations. For example, it can be used with Hazelcast.
Instantiating MapSessionRepository
Creating a new instance is as simple as:
SessionRepository<? extends ExpiringSession> repository = new MapSessionRepository();Using Spring Session and Hazlecast
The Hazelcast Sample is a complete application demonstrating using Spring Session with Hazelcast.
To run it use the following:
./gradlew :samples:hazelcast:tomcatRun
The Hazelcast Spring Sample is a complete application demonstrating using Spring Session with Hazelcast and Spring Security.
It includes example Hazelcast MapListener implementations that support firing SessionCreatedEvent, SessionDeletedEvent and SessionExpiredEvent.
To run it use the following:
./gradlew :samples:hazelcast-spring:tomcatRun
Spring Session Community
We are glad to consider you a part of our community. Please find additional information below.
Support
You can get help by asking questions on StackOverflow with the tag spring-session. Similarly we encourage helping others by answering questions on StackOverflow.
Source Code
Our source code can be found on github at https://github.com/spring-projects/spring-session/
Issue Tracking
We track issues in github issues at https://github.com/spring-projects/spring-session/issues
Contributing
We appreciate Pull Requests.
License
Spring Session is Open Source software released under the Apache 2.0 license.
Minimum Requirements
The minimum requirements for Spring Session are:
- 
Java 5+ 
- 
If you are running in a Servlet Container (not required), Servlet 2.5+ 
- 
If you are using other Spring libraries (not required), the minimum required version is Spring 3.2.14. While we re-run all unit tests against Spring 3.2.x, we recommend using the latest Spring 4.x version when possible. 
- 
@EnableRedisHttpSessionrequires Redis 2.8+. This is necessary to support Session Expiration
| At its core Spring Session only has a required dependency on commons-logging. For an example of using Spring Session without any other Spring dependencies, refer to the hazelcast sample application. |