You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was trying to get session cookies working with spring webflux and redis. I implemented a custom logout endpoint, that invalidates the existing WebSession.
Now I ran into the issue, that the session cookie is not deleted, if I set the maxAge property in my application.yaml like this.
server:
reactive:
session:
cookie:
maxAge: 30m
The reason for this lies in the implementation of the expireSession and the initSessionCookie methods.
If we have the properties set like mentioned, then the cookieInitializer in line 129 gets triggered which overwrites the previously set value for maxAge of 0 to the one set in the properties, thus resulting in a session cookie, that has an empty value, but is still valid for the defined duration.
This causes problems, as soon as the user calls an endpoint that is working with the session cookie, the call fails with an IllegalArgumentException saying sessionId must not be empty
In the case of expiring a session the maxAge should always be 0, no matter what was set in the application properties.
I changed the implementation of the expireSession method like this, which causes the correct maxAge to be set in the specific case and the cookie gets removed from the browser.
Maybe this or a similar solution could replace the previous one, so that we are still able to define a maxAge for our session cookies and have them invalidated, once we don't need them anymore.
The text was updated successfully, but these errors were encountered:
rstoyanchev
changed the title
Spring Reactive WebSession - Session Cookie is not deleted if maxage property is set in application properties
Session Cookie in Reactive WebSession is not deleted if maxAge is set through cookie initializer (e.g. via Boot application property)
Nov 6, 2023
I was trying to get session cookies working with spring webflux and redis. I implemented a custom logout endpoint, that invalidates the existing WebSession.
Now I ran into the issue, that the session cookie is not deleted, if I set the maxAge property in my application.yaml like this.
The reason for this lies in the implementation of the expireSession and the initSessionCookie methods.
spring-framework/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java
Line 114 in 6548cee
spring-framework/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java
Line 129 in 1f1f222
If we have the properties set like mentioned, then the cookieInitializer in line 129 gets triggered which overwrites the previously set value for maxAge of 0 to the one set in the properties, thus resulting in a session cookie, that has an empty value, but is still valid for the defined duration.
This causes problems, as soon as the user calls an endpoint that is working with the session cookie, the call fails with an IllegalArgumentException saying sessionId must not be empty
In the case of expiring a session the maxAge should always be 0, no matter what was set in the application properties.
I changed the implementation of the expireSession method like this, which causes the correct maxAge to be set in the specific case and the cookie gets removed from the browser.
Maybe this or a similar solution could replace the previous one, so that we are still able to define a maxAge for our session cookies and have them invalidated, once we don't need them anymore.
The text was updated successfully, but these errors were encountered: