public final class CookieHttpSessionStrategy extends java.lang.Object implements MultiHttpSessionStrategy, HttpSessionManager
HttpSessionStrategy
that uses a cookie to obtain the session from.
Specifically, this implementation will allow specifying a cookie name using
setCookieName(String)
. The default is "SESSION".
When a session is created, the HTTP response will have a cookie with the specified
cookie name and the value of the session id. The cookie will be marked as a session
cookie, use the context path for the path of the cookie, marked as HTTPOnly, and if
ServletRequest.isSecure()
returns true, the cookie will
be marked as secure. For example:
HTTP/1.1 200 OK Set-Cookie: SESSION=f81d4fae-7dec-11d0-a765-00a0c91e6bf6; Path=/context-root; Secure; HttpOnlyThe client should now include the session in each request by specifying the same cookie in their request. For example:
GET /messages/ HTTP/1.1 Host: example.com Cookie: SESSION=f81d4fae-7dec-11d0-a765-00a0c91e6bf6When the session is invalidated, the server will send an HTTP response that expires the cookie. For example:
HTTP/1.1 200 OK Set-Cookie: SESSION=f81d4fae-7dec-11d0-a765-00a0c91e6bf6; Expires=Thur, 1 Jan 1970 00:00:00 GMT; Secure; HttpOnly
By default multiple sessions are also supported. Once a session is established with the
browser, another session can be initiated by specifying a unique value for the
setSessionAliasParamName(String)
. For example, a request to:
GET /messages/?_s=1416195761178 HTTP/1.1 Host: example.com Cookie: SESSION=f81d4fae-7dec-11d0-a765-00a0c91e6bf6Will result in the following response:
HTTP/1.1 200 OK Set-Cookie: SESSION="0 f81d4fae-7dec-11d0-a765-00a0c91e6bf6 1416195761178 8a929cde-2218-4557-8d4e-82a79a37876d"; Expires=Thur, 1 Jan 1970 00:00:00 GMT; Secure; HttpOnly
To use the original session a request without the HTTP parameter u can be made. To use the new session, a request with the HTTP parameter _s=1416195761178 can be used. By default URLs will be rewritten to include the currently selected session.
Sessions can be managed by using the HttpSessionManager and SessionRepository. If you are not using Spring in the rest of your application you can obtain a reference from the HttpServletRequest attributes. An example is provided below:
HttpSessionManager sessionManager =
(HttpSessionManager) req.getAttribute(HttpSessionManager.class.getName());
SessionRepository<Session> repo =
(SessionRepository<Session>) req.getAttribute(SessionRepository.class.getName());
String currentSessionAlias = sessionManager.getCurrentSessionAlias(req);
Map<String, String> sessionIds = sessionManager.getSessionIds(req);
String newSessionAlias = String.valueOf(System.currentTimeMillis());
String contextPath = req.getContextPath();
List<Account> accounts = new ArrayList<>();
Account currentAccount = null; for(Map.Entry<String, String> entry :
sessionIds.entrySet()) { String alias = entry.getKey(); String sessionId =
entry.getValue();
Session session = repo.getSession(sessionId); if(session == null) { continue; }
String username = session.getAttribute("username"); if(username == null) {
newSessionAlias = alias; continue; }
String logoutUrl = sessionManager.encodeURL("./logout", alias); String switchAccountUrl
= sessionManager.encodeURL("./", alias); Account account = new Account(username,
logoutUrl, switchAccountUrl); if(currentSessionAlias.equals(alias)) { currentAccount =
account; } else { accounts.add(account); } }
req.setAttribute("currentAccount", currentAccount); req.setAttribute("addAccountUrl",
sessionManager.encodeURL(contextPath, newSessionAlias)); req.setAttribute("accounts",
accounts); }Constructor and Description |
---|
CookieHttpSessionStrategy() |
Modifier and Type | Method and Description |
---|---|
java.lang.String |
encodeURL(java.lang.String url,
java.lang.String sessionAlias)
Provides the ability to encode the URL for a given session alias.
|
java.lang.String |
getCurrentSessionAlias(HttpServletRequest request)
Gets the current session's alias from the
HttpServletRequest . |
java.lang.String |
getNewSessionAlias(HttpServletRequest request)
Gets a new and unique Session alias.
|
java.lang.String |
getRequestedSessionId(HttpServletRequest request)
Obtains the requested session id from the provided
HttpServletRequest . |
java.util.Map<java.lang.String,java.lang.String> |
getSessionIds(HttpServletRequest request)
Gets a mapping of the session alias to the session id from the
HttpServletRequest . |
void |
onInvalidateSession(HttpServletRequest request,
HttpServletResponse response)
This method is invoked when a session is invalidated and should inform a client
that the session id is no longer valid.
|
void |
onNewSession(Session session,
HttpServletRequest request,
HttpServletResponse response)
This method is invoked when a new session is created and should inform a client
what the new session id is.
|
void |
setCookieName(java.lang.String cookieName)
Deprecated.
|
void |
setCookieSerializer(CookieSerializer cookieSerializer)
Sets the
CookieSerializer to be used. |
void |
setDeserializationDelimiter(java.lang.String delimiter)
Sets the delimiter between a session alias and a session id when deserializing a
cookie.
|
void |
setSerializationDelimiter(java.lang.String delimiter)
Sets the delimiter between a session alias and a session id when deserializing a
cookie.
|
void |
setSessionAliasParamName(java.lang.String sessionAliasParamName)
Sets the name of the HTTP parameter that is used to specify the session alias.
|
HttpServletRequest |
wrapRequest(HttpServletRequest request,
HttpServletResponse response)
Allows customizing the
HttpServletRequest . |
HttpServletResponse |
wrapResponse(HttpServletRequest request,
HttpServletResponse response)
Allows customizing the
HttpServletResponse . |
public java.lang.String getRequestedSessionId(HttpServletRequest request)
HttpSessionStrategy
HttpServletRequest
. For example, the session id might
come from a cookie or a request header.getRequestedSessionId
in interface HttpSessionStrategy
request
- the HttpServletRequest
to obtain the
session id from. Cannot be null.HttpServletRequest
to obtain the session id
from.public java.lang.String getCurrentSessionAlias(HttpServletRequest request)
HttpSessionManager
HttpServletRequest
.getCurrentSessionAlias
in interface HttpSessionManager
request
- the HttpServletRequest
to obtain the current session's alias
from.public java.lang.String getNewSessionAlias(HttpServletRequest request)
HttpSessionManager
HttpSessionManager#encodeURL(java.lang.String)
. For example:
String newAlias = httpSessionManager.getNewSessionAlias(request);
String addAccountUrl = httpSessionManager.encodeURL("./", newAlias);
getNewSessionAlias
in interface HttpSessionManager
request
- the HttpServletRequest
to get a new alias frompublic void onNewSession(Session session, HttpServletRequest request, HttpServletResponse response)
HttpSessionStrategy
Session
at this time. For example, they may wish to add the IP Address,
browser headers, the username, etc to the
Session
.onNewSession
in interface HttpSessionStrategy
session
- the Session
that is being sent
to the client. Cannot be null.request
- the HttpServletRequest
that create the
new Session
Cannot be null.response
- the HttpServletResponse
that is
associated with the HttpServletRequest
that created the
new Session
Cannot be null.public void onInvalidateSession(HttpServletRequest request, HttpServletResponse response)
HttpSessionStrategy
onInvalidateSession
in interface HttpSessionStrategy
request
- the HttpServletRequest
that invalidated
the Session
Cannot be null.response
- the HttpServletResponse
that is
associated with the HttpServletRequest
that invalidated
the Session
Cannot be null.public void setSessionAliasParamName(java.lang.String sessionAliasParamName)
sessionAliasParamName
- the name of the HTTP parameter used to specify the
session alias. If null, then ony a single session is supported per browser.public void setCookieSerializer(CookieSerializer cookieSerializer)
CookieSerializer
to be used.cookieSerializer
- the cookieSerializer to set. Cannot be null.@Deprecated public void setCookieName(java.lang.String cookieName)
setCookieSerializer(CookieSerializer)
cookieName
- the name of the cookie to be usedpublic void setDeserializationDelimiter(java.lang.String delimiter)
delimiter
- the delimiter to set (i.e. "_ " will try a delimeter of either "_"
or " ")public void setSerializationDelimiter(java.lang.String delimiter)
delimiter
- the delimiter to set (i.e. "_")public java.util.Map<java.lang.String,java.lang.String> getSessionIds(HttpServletRequest request)
HttpSessionManager
HttpServletRequest
.getSessionIds
in interface HttpSessionManager
request
- the HttpServletRequest
to obtain the mapping from. Cannot be
null.HttpServletRequest
. Cannot be null.public HttpServletRequest wrapRequest(HttpServletRequest request, HttpServletResponse response)
RequestResponsePostProcessor
HttpServletRequest
.wrapRequest
in interface RequestResponsePostProcessor
request
- the original HttpServletRequest
. Cannot be null.response
- the original HttpServletResponse
. This is NOT the result of
RequestResponsePostProcessor.wrapResponse(HttpServletRequest, HttpServletResponse)
Cannot be null. .HttpServletRequest
public HttpServletResponse wrapResponse(HttpServletRequest request, HttpServletResponse response)
RequestResponsePostProcessor
HttpServletResponse
.wrapResponse
in interface RequestResponsePostProcessor
request
- the original HttpServletRequest
. This is NOT the result of
RequestResponsePostProcessor.wrapRequest(HttpServletRequest, HttpServletResponse)
. Cannot be null.response
- the original HttpServletResponse
. Cannot be null.HttpServletResponse
public java.lang.String encodeURL(java.lang.String url, java.lang.String sessionAlias)
HttpSessionManager
encodeURL
in interface HttpSessionManager
url
- the url to encode.sessionAlias
- the session alias to encode.