org.springframework.session.web.http

Class CookieHttpSessionStrategy

java.lang.Object

org.springframework.session.web.http.CookieHttpSessionStrategy

All Implemented Interfaces:

HttpSessionManager, HttpSessionStrategy, MultiHttpSessionStrategy, RequestResponsePostProcessor

public final class CookieHttpSessionStrategy
extends java.lang.Object
implements MultiHttpSessionStrategy, HttpSessionManager

A HttpSessionStrategy that uses a cookie to obtain the session from. Specifically, this implementation will allow specifying a cookie name using setCookieName(String). The default is "SESSION". When a session is created, the HTTP response will have a cookie with the specified cookie name and the value of the session id. The cookie will be marked as a session cookie, use the context path for the path of the cookie, marked as HTTPOnly, and if ServletRequest.isSecure() returns true, the cookie will be marked as secure. For example:

 HTTP/1.1 200 OK
 Set-Cookie: SESSION=f81d4fae-7dec-11d0-a765-00a0c91e6bf6; Path=/context-root; Secure; HttpOnly
 

The client should now include the session in each request by specifying the same cookie in their request. For example:

 GET /messages/ HTTP/1.1
 Host: example.com
 Cookie: SESSION=f81d4fae-7dec-11d0-a765-00a0c91e6bf6
 

When the session is invalidated, the server will send an HTTP response that expires the cookie. For example:

 HTTP/1.1 200 OK
 Set-Cookie: SESSION=f81d4fae-7dec-11d0-a765-00a0c91e6bf6; Expires=Thur, 1 Jan 1970 00:00:00 GMT; Secure; HttpOnly
 

Supporting Multiple Simultaneous Sessions

By default multiple sessions are also supported. Once a session is established with the browser, another session can be initiated by specifying a unique value for the setSessionAliasParamName(String). For example, a request to:

 GET /messages/?_s=1416195761178 HTTP/1.1
 Host: example.com
 Cookie: SESSION=f81d4fae-7dec-11d0-a765-00a0c91e6bf6
 

Will result in the following response:

  HTTP/1.1 200 OK
 Set-Cookie: SESSION="0 f81d4fae-7dec-11d0-a765-00a0c91e6bf6 1416195761178 8a929cde-2218-4557-8d4e-82a79a37876d"; Expires=Thur, 1 Jan 1970 00:00:00 GMT; Secure; HttpOnly
 

To use the original session a request without the HTTP parameter u can be made. To use the new session, a request with the HTTP parameter _s=1416195761178 can be used. By default URLs will be rewritten to include the currently selected session.

Selecting Sessions

Sessions can be managed by using the HttpSessionManager and SessionRepository. If you are not using Spring in the rest of your application you can obtain a reference from the HttpServletRequest attributes. An example is provided below:

HttpSessionManager sessionManager = (HttpSessionManager) req.getAttribute(HttpSessionManager.class.getName()); SessionRepository<Session> repo = (SessionRepository<Session>) req.getAttribute(SessionRepository.class.getName()); String currentSessionAlias = sessionManager.getCurrentSessionAlias(req); Map<String, String> sessionIds = sessionManager.getSessionIds(req); String newSessionAlias = String.valueOf(System.currentTimeMillis()); String contextPath = req.getContextPath(); List<Account> accounts = new ArrayList<>(); Account currentAccount = null; for(Map.Entry<String, String> entry : sessionIds.entrySet()) { String alias = entry.getKey(); String sessionId = entry.getValue(); Session session = repo.getSession(sessionId); if(session == null) { continue; } String username = session.getAttribute("username"); if(username == null) { newSessionAlias = alias; continue; } String logoutUrl = sessionManager.encodeURL("./logout", alias); String switchAccountUrl = sessionManager.encodeURL("./", alias); Account account = new Account(username, logoutUrl, switchAccountUrl); if(currentSessionAlias.equals(alias)) { currentAccount = account; } else { accounts.add(account); } } req.setAttribute("currentAccount", currentAccount); req.setAttribute("addAccountUrl", sessionManager.encodeURL(contextPath, newSessionAlias)); req.setAttribute("accounts", accounts); }

Since:

1.0

Author:

Rob Winch

Constructor Summary

Constructors

Constructor and Description
CookieHttpSessionStrategy()

Method Summary

Modifier and Type	Method and Description
java.lang.String	encodeURL(java.lang.String url, java.lang.String sessionAlias) Provides the ability to encode the URL for a given session alias.
java.lang.String	getCurrentSessionAlias(HttpServletRequest request) Gets the current session's alias from the HttpServletRequest.
java.lang.String	getNewSessionAlias(HttpServletRequest request) Gets a new and unique Session alias.
java.lang.String	getRequestedSessionId(HttpServletRequest request) Obtains the requested session id from the provided HttpServletRequest.
java.util.Map<java.lang.String,java.lang.String>	getSessionIds(HttpServletRequest request) Gets a mapping of the session alias to the session id from the HttpServletRequest.
void	onInvalidateSession(HttpServletRequest request, HttpServletResponse response) This method is invoked when a session is invalidated and should inform a client that the session id is no longer valid.
void	onNewSession(Session session, HttpServletRequest request, HttpServletResponse response) This method is invoked when a new session is created and should inform a client what the new session id is.
void	setCookieName(java.lang.String cookieName) Deprecated. use setCookieSerializer(CookieSerializer)
void	setCookieSerializer(CookieSerializer cookieSerializer) Sets the CookieSerializer to be used.
void	setDeserializationDelimiter(java.lang.String delimiter) Sets the delimiter between a session alias and a session id when deserializing a cookie.
void	setSerializationDelimiter(java.lang.String delimiter) Sets the delimiter between a session alias and a session id when deserializing a cookie.
void	setSessionAliasParamName(java.lang.String sessionAliasParamName) Sets the name of the HTTP parameter that is used to specify the session alias.
HttpServletRequest	wrapRequest(HttpServletRequest request, HttpServletResponse response) Allows customizing the HttpServletRequest.
HttpServletResponse	wrapResponse(HttpServletRequest request, HttpServletResponse response) Allows customizing the HttpServletResponse.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CookieHttpSessionStrategy

public CookieHttpSessionStrategy()

Method Detail

getRequestedSessionId

public java.lang.String getRequestedSessionId(HttpServletRequest request)

Description copied from interface: HttpSessionStrategy

Obtains the requested session id from the provided HttpServletRequest. For example, the session id might come from a cookie or a request header.

Specified by:

getRequestedSessionId in interface HttpSessionStrategy

Parameters:

request - the HttpServletRequest to obtain the session id from. Cannot be null.

Returns:

the HttpServletRequest to obtain the session id from.

getCurrentSessionAlias

public java.lang.String getCurrentSessionAlias(HttpServletRequest request)

Description copied from interface: HttpSessionManager

Gets the current session's alias from the HttpServletRequest.

Specified by:

getCurrentSessionAlias in interface HttpSessionManager

Parameters:

request - the HttpServletRequest to obtain the current session's alias from.

Returns:

the current sessions' alias. Cannot be null.

getNewSessionAlias

public java.lang.String getNewSessionAlias(HttpServletRequest request)

Description copied from interface: HttpSessionManager

Gets a new and unique Session alias. Typically this will be called to pass into HttpSessionManager#encodeURL(java.lang.String). For example: String newAlias = httpSessionManager.getNewSessionAlias(request); String addAccountUrl = httpSessionManager.encodeURL("./", newAlias);

Specified by:

getNewSessionAlias in interface HttpSessionManager

Parameters:

request - the HttpServletRequest to get a new alias from

Returns:

Gets a new and unique Session alias.

onNewSession

public void onNewSession(Session session,
                         HttpServletRequest request,
                         HttpServletResponse response)

Description copied from interface: HttpSessionStrategy

This method is invoked when a new session is created and should inform a client what the new session id is. For example, it might create a new cookie with the session id in it or set an HTTP response header with the value of the new session id. Some implementations may wish to associate additional information to the Session at this time. For example, they may wish to add the IP Address, browser headers, the username, etc to the Session.

Specified by:

onNewSession in interface HttpSessionStrategy

Parameters:

session - the Session that is being sent to the client. Cannot be null.

request - the HttpServletRequest that create the new Session Cannot be null.

response - the HttpServletResponse that is associated with the HttpServletRequest that created the new Session Cannot be null.

onInvalidateSession

public void onInvalidateSession(HttpServletRequest request,
                                HttpServletResponse response)

Description copied from interface: HttpSessionStrategy

This method is invoked when a session is invalidated and should inform a client that the session id is no longer valid. For example, it might remove a cookie with the session id in it or set an HTTP response header with an empty value indicating to the client to no longer submit that session id.

Specified by:

onInvalidateSession in interface HttpSessionStrategy

Parameters:

request - the HttpServletRequest that invalidated the Session Cannot be null.

response - the HttpServletResponse that is associated with the HttpServletRequest that invalidated the Session Cannot be null.

setSessionAliasParamName

public void setSessionAliasParamName(java.lang.String sessionAliasParamName)

Sets the name of the HTTP parameter that is used to specify the session alias. If the value is null, then only a single session is supported per browser.

Parameters:

sessionAliasParamName - the name of the HTTP parameter used to specify the session alias. If null, then ony a single session is supported per browser.

setCookieSerializer

public void setCookieSerializer(CookieSerializer cookieSerializer)

Sets the CookieSerializer to be used.

Parameters:

cookieSerializer - the cookieSerializer to set. Cannot be null.

setCookieName

@Deprecated
public void setCookieName(java.lang.String cookieName)

Deprecated. use setCookieSerializer(CookieSerializer)

Sets the name of the cookie to be used.

Parameters:

cookieName - the name of the cookie to be used

setDeserializationDelimiter

public void setDeserializationDelimiter(java.lang.String delimiter)

Sets the delimiter between a session alias and a session id when deserializing a cookie. The default is " " This is useful when using RFC 6265 for writing the cookies which doesn't allow for spaces in the cookie values.

Parameters:

delimiter - the delimiter to set (i.e. "_ " will try a delimeter of either "_" or " ")

setSerializationDelimiter

public void setSerializationDelimiter(java.lang.String delimiter)

Sets the delimiter between a session alias and a session id when deserializing a cookie. The default is " ". This is useful when using RFC 6265 for writing the cookies which doesn't allow for spaces in the cookie values.

Parameters:

delimiter - the delimiter to set (i.e. "_")

getSessionIds

public java.util.Map<java.lang.String,java.lang.String> getSessionIds(HttpServletRequest request)

Description copied from interface: HttpSessionManager

Gets a mapping of the session alias to the session id from the HttpServletRequest.

Specified by:

getSessionIds in interface HttpSessionManager

Parameters:

request - the HttpServletRequest to obtain the mapping from. Cannot be null.

Returns:

a mapping of the session alias to the session id from the HttpServletRequest. Cannot be null.

wrapRequest

public HttpServletRequest wrapRequest(HttpServletRequest request,
                                      HttpServletResponse response)

Description copied from interface: RequestResponsePostProcessor

Allows customizing the HttpServletRequest.

Specified by:

wrapRequest in interface RequestResponsePostProcessor

Parameters:

request - the original HttpServletRequest. Cannot be null.

response - the original HttpServletResponse. This is NOT the result of RequestResponsePostProcessor.wrapResponse(HttpServletRequest, HttpServletResponse) Cannot be null. .

Returns:

a non-null HttpServletRequest

wrapResponse

public HttpServletResponse wrapResponse(HttpServletRequest request,
                                        HttpServletResponse response)

Description copied from interface: RequestResponsePostProcessor

Allows customizing the HttpServletResponse.

Specified by:

wrapResponse in interface RequestResponsePostProcessor

Parameters:

request - the original HttpServletRequest. This is NOT the result of RequestResponsePostProcessor.wrapRequest(HttpServletRequest, HttpServletResponse). Cannot be null.

response - the original HttpServletResponse. Cannot be null.

Returns:

a non-null HttpServletResponse

encodeURL

public java.lang.String encodeURL(java.lang.String url,
                                  java.lang.String sessionAlias)

Description copied from interface: HttpSessionManager

Provides the ability to encode the URL for a given session alias.

Specified by:

encodeURL in interface HttpSessionManager

Parameters:

url - the url to encode.

sessionAlias - the session alias to encode.

Returns:

the encoded URL