Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does Spring Security sessions work?

How do Spring sessions work when you login to a form on Spring security as described in this tutorial? http://static.springsource.org/spring-security/site/tutorial.html

Is it cookie based? Im not sure what exactly is going on that allows the user to log in and have it remember and keep you logged in for the remainder of the browsing session.

like image 839
Rolando Avatar asked Dec 08 '11 03:12

Rolando


People also ask

How does Spring Security handle session timeout?

One way to handle it would be to inject the username into the session when user logs in and then use an ordinary httpsessionlistener and do the same thing on session timeout.

How does Spring Security concurrent session control work?

Spring security provides a mechanism to control and limit the maximum number of single-user open sessions. This mechanism prevents users from exceeding the number of allowed simultaneous connections. For example, Netflix limits the number of screens you can watch at the same time according to your subscription plan.

Where does Spring Security Store session?

Spring Security handles login and logout requests and stores information about the logged-in user in the HTTP session of the underlying webserver (Tomcat, Jetty, or Undertow). To track which session belongs to which client, the webserver sets a cookie with a random session id and stores the session object in memory.


1 Answers

It is cookie based similar to how the servlet maintains sessions . If cookies are disabled, you would have to resort to URL rewriting .According to the FAQ here.

"All it sees are HTTP requests and it ties those to a particular session according to the value of the the JSESSIONID cookie that they contain. When a user authenticates during a session, Spring Security's concurrent session control checks the number of other authenticated sessions that they have. If they are already authenticated with the same session, then re-authenticating will have no effect. "

also

"If clients have cookies disabled, and you are not rewriting URLs to include the jsessionid, then the session will be lost. Note that the use of cookies is preferred for security reasons, as it does not expose the session information in the URL. "

See here for the Single sign on feature

like image 168
Aravind A Avatar answered Oct 05 '22 10:10

Aravind A