Skip to content

CookieHttpSessionStrategy should look at all cookies not just the first #275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rwinch opened this issue Aug 21, 2015 · 0 comments · Fixed by #906
Closed

CookieHttpSessionStrategy should look at all cookies not just the first #275

rwinch opened this issue Aug 21, 2015 · 0 comments · Fixed by #906
Assignees
@vpavic
Labels
type: bug A general bug
Milestone
2.0.0.RC1

Comments

@rwinch
Copy link
Member

rwinch commented Aug 21, 2015
edited
Loading

Right now if multiple cookies are submitted to Spring Session, it only considers the first cookie with the correct name. We should inspect additional cookies if the session id in the first cookie was not valid.

We need to select the first session id that is valid for this application. So for example, if a request to /other/ is made

GET /other/ HTTP/1.1
Host: example.com

HTTP/1.1 200 OK
Set-Cookie: SESSION=df540dc9-6919-4fe2-a410-5b04cdf9917c; Path=/other/

Then a request to / is made

GET / HTTP/1.1
Host: example.com

HTTP/1.1 200 OK
Set-Cookie: SESSION=e4616883-678c-4e1b-a154-d3106fe60bf6; Path=/

Finally another request to /other/ is made in which both SESSION cookies are submitted with the request:

GET /other/ HTTP/1.1
Host: example.com
Cookie: SESSION=eba15ac9-3fa6-40cb-8666-20bcc4b6bf22; SESSION=ddaa23ff-698b-4af4-9a89-285185bf1ef9

If these two sessions are for different applications, then we must select the correct session id. Note that the client will not include the path information in the request (it is only in the response).

We must also consider a similar scenario for the domain.

Part of the struggle with this is how to make the changes passive (or as passive as possible) without looking up the session multiple times.

Relates to gh-362
@rwinch rwinch added this to the 1.1.0 M1 milestone Aug 21, 2015
@rwinch rwinch added the type: bug A general bug label Aug 21, 2015
@rwinch rwinch mentioned this issue Sep 8, 2015
Closed
@rwinch rwinch modified the milestones: 1.1.0 M1, 1.1.0 RC1 Nov 17, 2015
@rwinch rwinch modified the milestones: 1.2.0 M1, 1.1.0 RC1 Feb 11, 2016
@rwinch rwinch mentioned this issue Mar 1, 2016
Closed
eddumelendez added a commit to eddumelendez/spring-session that referenced this issue Apr 27, 2016
@eddumelendez
Look at all cookies instead just the first
c479122 
Previous to this commit, just the first cookie is considered. Now, all
cookies are considered to look for SESSION cookie.

See spring-projectsgh-275
@eddumelendez eddumelendez mentioned this issue Apr 27, 2016
Closed
1 task
@rwinch rwinch mentioned this issue Jun 7, 2016
Closed
@rwinch rwinch mentioned this issue Jun 27, 2016
Closed
@rwinch rwinch modified the milestones: 1.3.0 M1, 2.0 M1 Sep 7, 2016
eddumelendez added a commit to eddumelendez/spring-session that referenced this issue Oct 4, 2016
@eddumelendez
Look at all cookies instead just the first
b3875b7 
Previous to this commit, just the first cookie is considered. Now, all
cookies are considered to look for SESSION cookie.

See spring-projectsgh-275
@eddumelendez eddumelendez mentioned this issue Oct 4, 2016
Closed
@rwinch rwinch modified the milestones: 2.0.0 M1, 2.0.0.M2 May 10, 2017
@rwinch rwinch modified the milestones: 2.0.0.M2, 2.0.0.M3 Jun 16, 2017
@rwinch rwinch modified the milestones: 2.0.0.M3, 2.0.0.M4 Jul 21, 2017
@rwinch rwinch modified the milestones: 2.0.0.M4, 2.0.0.M5 Sep 13, 2017
@rwinch rwinch modified the milestones: 2.0.0.M5, 2.0.0.RC1 Oct 3, 2017
@vpavic vpavic self-assigned this Oct 25, 2017
vpavic added a commit to vpavic/spring-session that referenced this issue Oct 25, 2017
@vpavic
Align HttpSessionStrategy with WebSessionIdResolver
97731f5 
This commit simplifies `HttpSessionStrategy` API by aligning it with Spring Framework's `WebSessionIdResolver`. As a part of this, support for managing multiple users' sessions has been removed.

Closes spring-projectsgh-275
Closes spring-projectsgh-362
@vpavic vpavic mentioned this issue Oct 25, 2017
Merged
vpavic added a commit to vpavic/spring-session that referenced this issue Oct 26, 2017
@vpavic
Align HttpSessionStrategy with WebSessionIdResolver
c6aba6b 
This commit simplifies `HttpSessionStrategy` API by aligning it with Spring Framework's `WebSessionIdResolver`. As a part of this, support for managing multiple users' sessions has been removed.

Closes spring-projectsgh-275
Closes spring-projectsgh-362
rwinch pushed a commit that referenced this issue Oct 26, 2017
@vpavic @rwinch
Align HttpSessionStrategy with WebSessionIdResolver
cd394bb 
This commit simplifies `HttpSessionStrategy` API by aligning it with Spring Framework's `WebSessionIdResolver`. As a part of this, support for managing multiple users' sessions has been removed.

Closes gh-275
Closes gh-362
@vpavic vpavic mentioned this issue Apr 13, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vpavic vpavic

Labels
type: bug A general bug
Projects
None yet
Milestone
2.0.0.RC1
Development

Successfully merging a pull request may close this issue.

Align HttpSessionStrategy with WebSessionIdResolver vpavic/spring-session
2 participants
@rwinch @vpavic