Reputation: 101
How to create a new cookie for new logged user inSpring Security
I'm using spring security 3.0 with Spring MVC. My Java Web application is a Shopping cart. I'm using a Service that store a shopping list in session, When User A create a shopping list, and then proceed to logout and login again, the shopping list is restored as normal, but if another User B go to the same Application, using the SAME browser and proceed to login, the session is restored using the Shopping list of User A!.
What I can understand is that the JSESSION cookie doesn't change when user A logout in the same browser. That is the reason that if User A login to the application using another browser, he doesn't have the same session data, the JSESSION cookie is different.
I'm using my own authentication success handler for login and logout.
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/index.html" access="permitAll"/>
<form-login login-page="/index.html"
default-target-url="/index.html"
authentication-success-handler-ref = "loginSuccessHandler"
/>
<logout invalidate-session="false" logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
<!-- <logout invalidate-session="false" success-handler-ref="logoutSuccessHandler" /> -->
</http>
And yes using invalidate-session = "true" might be a short-time solution, but in this way I cannot use data saved in session.
What i want is that when UserA log in a browser, save some data to session (the shopping list), and then logout, make UserB have his own session, instead of using the session of UserA, i suspect that the answer is in asigning a new cookie to userB, but also, to asign the old cookie to UserA.
Upvotes: 0
Views: 1436
Answers (2)
Reputation: 719386
The closest you will get is a <session-managemement> element.
If you set the
session-fixation-protectionattribute set to"migrateSession", the new token will have the session attributes from the old token.If you set it to
"newSession"the session attributes will be discarded.
Refer to the SpringSecurity manual for more details.
What i want is that when UserA log in a browser, save some data to session (the shopping list), and then logout, make UserB have his own session, instead of using the session of UserA, i suspect that the answer is in asigning a new cookie to userB, but also, to asign the old cookie to UserA.
I don't think that you will achieve this by simply changing the session token. The problem is that the browser only stores one session token. Once the token has been changed, the browser has no knowledge of the old token value and the server has no knowledge of who owns the old token. If you want the shopping list to persist beyond the end of the session (i.e. after UserA logs out), you will have to persist it somewhere else.
Upvotes: 1
Reputation: 24047
You need to store the shopping cart in the DB, not in the session. You'll also need a cron job that purges stale carts so they don't fill up the DB.
Upvotes: 0
Related Questions
- How to do basic authentication using cookies in spring security?
- No Spring Security Remember me cookie created when logging in programmatically
- Authentication using cookies in spring boot
- Error with cookie-value when adding a new Spring Session
- How to login by cookie with Spring Security?
- Add a cookie during the Spring Security login
- How to have a custom cookie name in spring security
- How save cookie JSESSIONID in browser (spring)?
- Setting a cookie upon login in Spring Security 3.0
- how to set an extra cookie after login successful in spring security