Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce header-based WebSessionIdResolver [SPR-15917] #20471

Closed
spring-issuemaster opened this issue Aug 30, 2017 · 5 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link
Collaborator

commented Aug 30, 2017

Greg Turnquist opened SPR-15917 and commented

Create a header-based implementation of WebSessionIdResolver.


Affects: 5.0 RC3

Referenced from: pull request #1510, and commits 167ddc7, c98e01a

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Sep 5, 2017

Rossen Stoyanchev commented

Greg Turnquist, could you provide a little more context on this request?

In particular, in a header-based session id resolution strategy, there is no way to implement setSessionId since the request headers are immutable and even if changed (i.e. mutating the exchange) will not help the client to know the session id. The tests do not show this problem because they use a Mockito mock for the request. Switching to MockServerHttpRequest should demonstrate the problem.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Sep 5, 2017

Greg Turnquist commented

The basis for doing this is to support Spring Session's option to switch between Cookie-based and header-based session management.

I guess I didn't read close enough, thinking that the read-only nature of the headers was buried in the MockServerHttpRequest, not realizing that is actually in AbstractServerHttpRequest.

Assuming some solution was rendered, why can't clients know the session id? It's covered by WebSessionIdResolver.resolveSessionIds API, where the headers are inspected.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Sep 5, 2017

Rossen Stoyanchev commented

How does a remote client such as a browser know what session id to send in a header in the first place? In the Cookie strategy, the setSessionId saves the session id to a response cookie, which is then sent with the next request as a cookie too and that's how the session gets carried forward from request to request.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Sep 5, 2017

Greg Turnquist commented

Okay, I should have coded setSessionId to actually put that in the response headers, which I'm attempting to fix this PR.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Sep 5, 2017

Greg Turnquist commented

I updated the PR so that it focuses on setting response headers. Also verifies that is parses incoming HTTP session headers properly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.