We just discussed how Spring and HTTP session handling are following a different mechanism. Let's discuss in depth about how Spring actually does it. The question can be answered by understanding two things--one, how to create the session that can store the data with efficiency as well as reliably; and, the second, how to determine which session is associated with which incoming request:
- The data store: The data stores such as Apache Geode and GemFire provide a well-defined solution to store data. Spring, instead of defining one, provides the implementation that allows developers to use the underlying data store. The interfaces that provide support to use the data store are: Session, ExpiringSession, and SessionRepository:
- Session: This facilitates developers to add and remove the attributes to it. It is generally used where the traditional HttpSession would have been used with Servlets.
- ExpiringSession: This facilitates to determine whether the session has been expired or not.
- SessionRepository: This provides the methods to create, save, update, and delete the session. It does it by storing the session object in the underlying data store.
- The session determination: This is always associated with the request, to know which session is associated to which upcoming request, based on the transfer protocol. Spring defines HttpSessionStrategy for the HTTP protocol. The implementations provided by the Spring are CookieHttpSessionStrategy for HTTP cookies to associate a session ID to a request and HeaderHttpSessionStrategy, which uses the HTTP header for session ID association.
Spring provides the following Spring-related configuration to manage a session in different scenarios:
- Session creation: This can be configured as follows:
<http create-session="XXX">
The following table shows values for the create-session attribute:
|
Value of the attribute |
What action to take regarding the session? |
|
Always |
In case of no preexisted session, a session always be created |
|
ifRequired |
A new session will be created only if required |
|
Stateless |
Spring Security will not create as well use a session |
|
Never |
If a preexisted session is available, it will be used; however, if no session is available explicitly, a new session will not be created |
- Concurrent session management: Sometimes, the developers need to stop creating more than one session per user. The following configuration enables the developers to create only one session per user:
<session-management>
<concurrency-control
max-sessions="1" error-if-maximum-exceeded="false" />
</session-management>
- Session fixation protection: The attack against the session fixation can be prevented using the following configuration:
<session-management session-fixation-protection="migrateSession">