Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session Cookie in Reactive WebSession is not deleted if maxAge is set through cookie initializer (e.g. via Boot application property) #31214

Closed
Kardeen opened this issue Sep 13, 2023 · 2 comments
Closed

Session Cookie in Reactive WebSession is not deleted if maxAge is set through cookie initializer (e.g. via Boot application property) #31214

Kardeen opened this issue Sep 13, 2023 · 2 comments
Assignees
@rstoyanchev
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Milestone
6.0.14

Comments

@Kardeen
Copy link

Kardeen commented Sep 13, 2023

I was trying to get session cookies working with spring webflux and redis. I implemented a custom logout endpoint, that invalidates the existing WebSession.

Now I ran into the issue, that the session cookie is not deleted, if I set the maxAge property in my application.yaml like this.

server:
  reactive:
    session:
      cookie:
        maxAge: 30m

The reason for this lies in the implementation of the expireSession and the initSessionCookie methods.

spring-framework/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java

Line 114 in 6548cee

ResponseCookie cookie = initSessionCookie(exchange, "", Duration.ZERO);

spring-framework/spring-web/src/main/java/org/springframework/web/server/session/CookieWebSessionIdResolver.java

Line 129 in 1f1f222

this.cookieInitializer.accept(cookieBuilder);

If we have the properties set like mentioned, then the cookieInitializer in line 129 gets triggered which overwrites the previously set value for maxAge of 0 to the one set in the properties, thus resulting in a session cookie, that has an empty value, but is still valid for the defined duration.

This causes problems, as soon as the user calls an endpoint that is working with the session cookie, the call fails with an IllegalArgumentException saying sessionId must not be empty

In the case of expiring a session the maxAge should always be 0, no matter what was set in the application properties.

I changed the implementation of the expireSession method like this, which causes the correct maxAge to be set in the specific case and the cookie gets removed from the browser.

@Override
    public void expireSession(ServerWebExchange exchange) {
        ResponseCookie cookie = initSessionCookie(exchange, "", Duration.ZERO)
                .mutate()
                .maxAge(Duration.ZERO)
                .build();
        exchange.getResponse().getCookies().set(this.cookieName, cookie);
    }

Maybe this or a similar solution could replace the previous one, so that we are still able to define a maxAge for our session cookies and have them invalidated, once we don't need them anymore.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Sep 13, 2023
@seabamirum
Copy link

I'm also encountering this issue. Might be possible to override CookieWebSessionIdResolver and wire it as a custom bean in the meantime.

@seabamirum
Copy link

This worked for me:

@Component
public class CustomCookieWebSessionIdResolver extends CookieWebSessionIdResolver 
{
	@Override
    public void expireSession(ServerWebExchange exchange) {

		ResponseCookie.ResponseCookieBuilder cookieBuilder = ResponseCookie.from("SESSION")
				.path(exchange.getRequest().getPath().contextPath().value() + "/")
				.maxAge(0)
				.httpOnly(true);
		
		exchange.getResponse().getCookies().set("SESSION",cookieBuilder.build());
    }
}

@rstoyanchev rstoyanchev self-assigned this Nov 6, 2023
@rstoyanchev rstoyanchev added in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Nov 6, 2023
@rstoyanchev rstoyanchev added this to the 6.1.0 milestone Nov 6, 2023
@rstoyanchev rstoyanchev changed the title Spring Reactive WebSession - Session Cookie is not deleted if maxage property is set in application properties Session Cookie in Reactive WebSession is not deleted if maxAge is set through cookie initializer (e.g. via Boot application property) Nov 6, 2023
@rstoyanchev rstoyanchev modified the milestones: 6.1.0, 6.0.14 Nov 8, 2023
rstoyanchev added a commit that referenced this issue Nov 8, 2023
@rstoyanchev
Polishing in CookieWebSessionIdResolver
5df6e88 
See gh-31214
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rstoyanchev rstoyanchev

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Projects
None yet
Milestone
6.0.14
Development

No branches or pull requests
4 participants
@rstoyanchev @seabamirum @spring-projects-issues @Kardeen