Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How does Spring Security sessions work?

Tags:

spring

jakarta-ee

spring-security

How do Spring sessions work when you login to a form on Spring security as described in this tutorial? http://static.springsource.org/spring-security/site/tutorial.html

Is it cookie based? Im not sure what exactly is going on that allows the user to log in and have it remember and keep you logged in for the remainder of the browsing session.

like image 839
Rolando Avatar asked Dec 08 '11 03:12

Rolando

People also ask

How does Spring Security handle session timeout?

One way to handle it would be to inject the username into the session when user logs in and then use an ordinary httpsessionlistener and do the same thing on session timeout.

How does Spring Security concurrent session control work?

Spring security provides a mechanism to control and limit the maximum number of single-user open sessions. This mechanism prevents users from exceeding the number of allowed simultaneous connections. For example, Netflix limits the number of screens you can watch at the same time according to your subscription plan.

Where does Spring Security Store session?

Spring Security handles login and logout requests and stores information about the logged-in user in the HTTP session of the underlying webserver (Tomcat, Jetty, or Undertow). To track which session belongs to which client, the webserver sets a cookie with a random session id and stores the session object in memory.

1 Answers

It is cookie based similar to how the servlet maintains sessions . If cookies are disabled, you would have to resort to URL rewriting .According to the FAQ here.

"All it sees are HTTP requests and it ties those to a particular session according to the value of the the JSESSIONID cookie that they contain. When a user authenticates during a session, Spring Security's concurrent session control checks the number of other authenticated sessions that they have. If they are already authenticated with the same session, then re-authenticating will have no effect. "

also

"If clients have cookies disabled, and you are not rewriting URLs to include the jsessionid, then the session will be lost. Note that the use of cookies is preferred for security reasons, as it does not expose the session information in the URL. "

See here for the Single sign on feature

like image 168
Aravind A Avatar answered Oct 05 '22 10:10

Aravind A
Sign in to Comment

Related questions

How to use @NamedQuery in spring a CrudRepository @Query?
Spring Batch: get list of defined jobs at runtime
How to find all revisions for an entity using spring data envers?
Spring Cloud Config Server Priority of Environment Variables
Java 9 - REST with Spring 5 & Jigsaw - Is it possible?
Spring-Boot one @Scheduled task using multiple cron expressions from yaml file
Enforce constraints on @Value annotated field in Spring Boot application
Spring boot 1.5.2 - web application stops after loading logo?
Spring unit test MockMvc fails when using custom filter in Spring Security
How to use Spring Boot authentication with Redis session
org.openqa.selenium.WebDriverException: Timed out waiting for driver server to start. Build info: version: 'unknown', revision: 'unknown'
How to map entity to table in Spring Data JDBC?
Auto-redirect root path to Spring Boot Context Path
How to auto configure programmatically?
How can I access the ApplicationContext from within a JAX-WS web service?
Finding out order of bean creation in the spring IOC
Spring MVC 3.0 and Apache Tiles 2
spring security (3.0.x) and user impersonation
Jackson JSON do not wrap attributes of nested object
Spring 3.1 without persistence.xml gives "Unable to resolve persistence unit root URL"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!