Dawood
Reputation: 301
HeaderHttpSessionStrategy x-auth-token is it safe?
Is it safe to use HeaderHttpSessionStrategy? one can get hold of the x-auth-token and the same session can be simulated across browsers and machines
Upvotes: 0
Views: 451
Answers (1)
Vedran Pavic
Reputation: 2389
Note that cookies themselves are in fact HTTP headers. The header named Cookie contains your cookie, which makes your concern applicable to both session strategies Spring Session provides out of the box (although cookies can be considered safer since they are domain restricted).
Ultimately, what will make both strategies safe is the use of SSL transport, i.e. HTTPS.
Upvotes: 2
Related Questions
- Spring Security using HTTP headers
- Form Login and HTTP Authorization header
- Adding 'Authorization' header causes Spring Security to secure a permitted endpoint
- Can't access response header (x-auth-token sent by spring session)
- can the HeaderHttpSessionStrategy work with Cookies in Spring Session
- CSRF protection and Spring Session header session strategy
- Spring Security Header Based Authentication
- Spring OAuth2 Access Token in HTTP Header
- How to config spring-session to support HeaderHttpSessionStrategy and CookieHttpSessionStrategy in one application?
- Handle HTTP Basic Authorization header in Spring