Reputation: 41
How to config spring-session to support HeaderHttpSessionStrategy and CookieHttpSessionStrategy in one application?
I have a project want to support android,ios,pc web. I try to use https://github.com/spring-projects/spring-session, can it be just config in an application to support HttpSession and rest token?
if it can,how i can config it?
Upvotes: 4
Views: 2813
Answers (2)
Reputation: 1
you can utilize spring's BeanFactoryPostProcessor ,to overwrite the postProcessAfterInitialization() to config the SessionRepositoryFilter's httpSessionStrategy by call it's setHttpSessionStrategy() method after it's initialization in spring.
Upvotes: 0
Reputation: 193
One thing that worked for me was to reimplement the ***HttpSessionStrategy using code from both Cookie and Header implementations.
You can see the concrete implementation of these classes here:
- https://github.com/spring-projects/spring-session/blob/master/spring-session/src/main/java/org/springframework/session/web/http/HeaderHttpSessionStrategy.java
- https://raw.githubusercontent.com/spring-projects/spring-session/master/spring-session/src/main/java/org/springframework/session/web/http/CookieHttpSessionStrategy.java
So the getRequestedSessionId becomes:
public String getRequestedSessionId(HttpServletRequest request) {
// header part
String sessionId = request.getHeader(headerName);
if(sessionId != null && !sessionId.isEmpty())
return sessionId;
// cookie part
Map<String,String> sessionIds = getSessionIds(request);
String sessionAlias = getCurrentSessionAlias(request);
return sessionIds.get(sessionAlias);
}
onInvalidateSession becomes:
public void onInvalidateSession(HttpServletRequest request, HttpServletResponse response) {
// header part
response.setHeader(headerName, "");
// cookie part
Map<String,String> sessionIds = getSessionIds(request);
String requestedAlias = getCurrentSessionAlias(request);
sessionIds.remove(requestedAlias);
Cookie sessionCookie = createSessionCookie(request, sessionIds);
response.addCookie(sessionCookie);
}
onNewSession becomes:
public void onNewSession(Session session, HttpServletRequest request, HttpServletResponse response) {
// header part
response.setHeader(headerName, session.getId());
// cookie part
Set<String> sessionIdsWritten = getSessionIdsWritten(request);
if(sessionIdsWritten.contains(session.getId())) {
return;
}
sessionIdsWritten.add(session.getId());
Map<String,String> sessionIds = getSessionIds(request);
String sessionAlias = getCurrentSessionAlias(request);
sessionIds.put(sessionAlias, session.getId());
Cookie sessionCookie = createSessionCookie(request, sessionIds);
response.addCookie(sessionCookie);
}
I used this in production for a browser/mobile REST API and it suits all my needs.
Upvotes: 2
Related Questions
- Spring-security - httponlycookie into existing jwt intergration?
- Is there any way to enable 2 HttpSessionStrategy together in Spring Session?
- can the HeaderHttpSessionStrategy work with Cookies in Spring Session
- Spring Security: JWT token for API and session for web
- CSRF protection and Spring Session header session strategy
- Supporting multiple sessions per browser by incorporating a custom HTTP header
- HeaderHttpSessionStrategy x-auth-token is it safe?
- Session handling with Spring REST application
- Spring RestTemplate session
- How do I set multiple cookies for spring-integration http-inbound-gateway?