Package org.springframework.session.web.http

Class CookieHttpSessionIdResolver

java.lang.Object
org.springframework.session.web.http.CookieHttpSessionIdResolver
All Implemented Interfaces:
HttpSessionIdResolver
public final class CookieHttpSessionIdResolver extends Object implements HttpSessionIdResolver
A HttpSessionIdResolver that uses a cookie to obtain the session from. Specifically, this implementation will allow specifying a cookie serialization strategy using setCookieSerializer(CookieSerializer). The default is cookie name is "SESSION". When a session is created, the HTTP response will have a cookie with the specified cookie name and the value of the session id. The cookie will be marked as a session cookie, use the context path for the path of the cookie, marked as HTTPOnly, and if ServletRequest.isSecure() returns true, the cookie will be marked as secure. For example: 
 HTTP/1.1 200 OK
 Set-Cookie: SESSION=f81d4fae-7dec-11d0-a765-00a0c91e6bf6; Path=/context-root; Secure; HttpOnly
The client should now include the session in each request by specifying the same cookie in their request. For example: 
 GET /messages/ HTTP/1.1
 Host: example.com
 Cookie: SESSION=f81d4fae-7dec-11d0-a765-00a0c91e6bf6
When the session is invalidated, the server will send an HTTP response that expires the cookie. For example: 
 HTTP/1.1 200 OK
 Set-Cookie: SESSION=f81d4fae-7dec-11d0-a765-00a0c91e6bf6; Expires=Thur, 1 Jan 1970 00:00:00 GMT; Secure; HttpOnly
Since:
1.0

  • Constructor Details

    • CookieHttpSessionIdResolver

      public CookieHttpSessionIdResolver()

  • Method Details

    • resolveSessionIds

      public List<String> resolveSessionIds(jakarta.servlet.http.HttpServletRequest request)
      Description copied from interface: HttpSessionIdResolver
      Resolve the session ids associated with the provided HttpServletRequest. For example, the session id might come from a cookie or a request header.
      Specified by:
      resolveSessionIds in interface HttpSessionIdResolver
      Parameters:
      request - the current request
      Returns:
      the session ids

    • setSessionId

      public void setSessionId(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, String sessionId)
      Description copied from interface: HttpSessionIdResolver
      Send the given session id to the client. This method is invoked when a new session is created and should inform a client what the new session id is. For example, it might create a new cookie with the session id in it or set an HTTP response header with the value of the new session id.
      Specified by:
      setSessionId in interface HttpSessionIdResolver
      Parameters:
      request - the current request
      response - the current response
      sessionId - the session id

    • expireSession

      public void expireSession(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Description copied from interface: HttpSessionIdResolver
      Instruct the client to end the current session. This method is invoked when a session is invalidated and should inform a client that the session id is no longer valid. For example, it might remove a cookie with the session id in it or set an HTTP response header with an empty value indicating to the client to no longer submit that session id.
      Specified by:
      expireSession in interface HttpSessionIdResolver
      Parameters:
      request - the current request
      response - the current response

    • setCookieSerializer

      public void setCookieSerializer(CookieSerializer cookieSerializer)
      Sets the CookieSerializer to be used.
      Parameters:
      cookieSerializer - the cookieSerializer to set. Cannot be null.