org.springframework.session.web.http

Class HeaderHttpSessionStrategy

java.lang.Object

org.springframework.session.web.http.HeaderHttpSessionStrategy

All Implemented Interfaces:

HttpSessionStrategy

public class HeaderHttpSessionStrategy
extends java.lang.Object
implements HttpSessionStrategy

A HttpSessionStrategy that uses a header to obtain the session from. Specifically, this implementation will allow specifying a header name using setHeaderName(String). The default is "x-auth-token". When a session is created, the HTTP response will have a response header of the specified name and the value of the session id. For example:

 HTTP/1.1 200 OK
 x-auth-token: f81d4fae-7dec-11d0-a765-00a0c91e6bf6
 

The client should now include the session in each request by specifying the same header in their request. For example:

 GET /messages/ HTTP/1.1
 Host: example.com
 x-auth-token: f81d4fae-7dec-11d0-a765-00a0c91e6bf6
 

When the session is invalidated, the server will send an HTTP response that has the header name and a blank value. For example:

 HTTP/1.1 200 OK
 x-auth-token:
 

Since:

1.0

Author:

Rob Winch

Constructor Summary

Constructors

Constructor and Description
HeaderHttpSessionStrategy()

Method Summary

Modifier and Type	Method and Description
java.lang.String	getRequestedSessionId(HttpServletRequest request) Obtains the requested session id from the provided HttpServletRequest.
void	onInvalidateSession(HttpServletRequest request, HttpServletResponse response) This method is invoked when a session is invalidated and should inform a client that the session id is no longer valid.
void	onNewSession(Session session, HttpServletRequest request, HttpServletResponse response) This method is invoked when a new session is created and should inform a client what the new session id is.
void	setHeaderName(java.lang.String headerName) The name of the header to obtain the session id from.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

HeaderHttpSessionStrategy

public HeaderHttpSessionStrategy()

Method Detail

getRequestedSessionId

public java.lang.String getRequestedSessionId(HttpServletRequest request)

Description copied from interface: HttpSessionStrategy

Obtains the requested session id from the provided HttpServletRequest. For example, the session id might come from a cookie or a request header.

Specified by:

getRequestedSessionId in interface HttpSessionStrategy

Parameters:

request - the HttpServletRequest to obtain the session id from. Cannot be null.

Returns:

the HttpServletRequest to obtain the session id from.

onNewSession

public void onNewSession(Session session,
                         HttpServletRequest request,
                         HttpServletResponse response)

Description copied from interface: HttpSessionStrategy

This method is invoked when a new session is created and should inform a client what the new session id is. For example, it might create a new cookie with the session id in it or set an HTTP response header with the value of the new session id. Some implementations may wish to associate additional information to the Session at this time. For example, they may wish to add the IP Address, browser headers, the username, etc to the Session.

Specified by:

onNewSession in interface HttpSessionStrategy

Parameters:

session - the Session that is being sent to the client. Cannot be null.

request - the HttpServletRequest that create the new Session Cannot be null.

response - the HttpServletResponse that is associated with the HttpServletRequest that created the new Session Cannot be null.

onInvalidateSession

public void onInvalidateSession(HttpServletRequest request,
                                HttpServletResponse response)

Description copied from interface: HttpSessionStrategy

This method is invoked when a session is invalidated and should inform a client that the session id is no longer valid. For example, it might remove a cookie with the session id in it or set an HTTP response header with an empty value indicating to the client to no longer submit that session id.

Specified by:

onInvalidateSession in interface HttpSessionStrategy

Parameters:

request - the HttpServletRequest that invalidated the Session Cannot be null.

response - the HttpServletResponse that is associated with the HttpServletRequest that invalidated the Session Cannot be null.

setHeaderName

public void setHeaderName(java.lang.String headerName)

The name of the header to obtain the session id from. Default is "x-auth-token".

Parameters:

headerName - the name of the header to obtain the session id from.