Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-15917

Introduce header-based WebSessionIdResolver

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 5.0 RC3
    • Fix Version/s: 5.0 RC4
    • Component/s: Reactive, Web
    • Labels:
      None

      Description

      Create a header-based implementation of WebSessionIdResolver.

        Activity

        Hide
        rstoya05-aop Rossen Stoyanchev added a comment -

        Greg Turnquist, could you provide a little more context on this request?

        In particular, in a header-based session id resolution strategy, there is no way to implement setSessionId since the request headers are immutable and even if changed (i.e. mutating the exchange) will not help the client to know the session id. The tests do not show this problem because they use a Mockito mock for the request. Switching to MockServerHttpRequest should demonstrate the problem.

        Show
        rstoya05-aop Rossen Stoyanchev added a comment - Greg Turnquist , could you provide a little more context on this request? In particular, in a header-based session id resolution strategy, there is no way to implement setSessionId since the request headers are immutable and even if changed (i.e. mutating the exchange) will not help the client to know the session id. The tests do not show this problem because they use a Mockito mock for the request. Switching to MockServerHttpRequest should demonstrate the problem.
        Hide
        gregturn Greg Turnquist added a comment -

        The basis for doing this is to support Spring Session's option to switch between Cookie-based and header-based session management.

        I guess I didn't read close enough, thinking that the read-only nature of the headers was buried in the MockServerHttpRequest, not realizing that is actually in AbstractServerHttpRequest.

        Assuming some solution was rendered, why can't clients know the session id? It's covered by WebSessionIdResolver.resolveSessionIds API, where the headers are inspected.

        Show
        gregturn Greg Turnquist added a comment - The basis for doing this is to support Spring Session's option to switch between Cookie-based and header-based session management. I guess I didn't read close enough, thinking that the read-only nature of the headers was buried in the MockServerHttpRequest, not realizing that is actually in AbstractServerHttpRequest. Assuming some solution was rendered, why can't clients know the session id? It's covered by WebSessionIdResolver.resolveSessionIds API, where the headers are inspected.
        Hide
        rstoya05-aop Rossen Stoyanchev added a comment - - edited

        How does a remote client such as a browser know what session id to send in a header in the first place? In the Cookie strategy, the setSessionId saves the session id to a response cookie, which is then sent with the next request as a cookie too and that's how the session gets carried forward from request to request.

        Show
        rstoya05-aop Rossen Stoyanchev added a comment - - edited How does a remote client such as a browser know what session id to send in a header in the first place? In the Cookie strategy, the setSessionId saves the session id to a response cookie, which is then sent with the next request as a cookie too and that's how the session gets carried forward from request to request.
        Hide
        gregturn Greg Turnquist added a comment -

        Okay, I should have coded setSessionId to actually put that in the response headers, which I'm attempting to fix this PR.

        Show
        gregturn Greg Turnquist added a comment - Okay, I should have coded setSessionId to actually put that in the response headers, which I'm attempting to fix this PR.
        Hide
        gregturn Greg Turnquist added a comment -

        I updated the PR so that it focuses on setting response headers. Also verifies that is parses incoming HTTP session headers properly.

        Show
        gregturn Greg Turnquist added a comment - I updated the PR so that it focuses on setting response headers. Also verifies that is parses incoming HTTP session headers properly.

          People

          • Assignee:
            rstoya05-aop Rossen Stoyanchev
            Reporter:
            gregturn Greg Turnquist
            Last updater:
            St├ęphane Nicoll
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since last comment:
              2 weeks, 3 days ago