Provide Session Id Generation Strategy

[rwinch]

We are currently using UIDs for session id generation. It may be better to include other characters to increase the entropy. We should be careful in how we use SecureRandom See https://www.synopsys.com/blogs/software-security/proper-use-of-javas-securerandom/ Last, we may want to make generating ids a strategy interface so that users can swap this out

• See PR Allow for configuration of session id generation and format. #204

[artgramlich]

+1
Thanks for closing the other issue, somehow I didn't see this issue.

[artgramlich]

I submitted a pull request #204.

[derylspielman]

This would be very helpful so that we can customize the session ID with a suffix of the jvmRoute. We have legacy code that requires the .jvmRoute at the end and currently calling httpRequest.getSession().getId()
comes without the jvmRoute. Any progress on this?

[abhishekjoy1]

Hi, I am trying to overwrite the UUID generated as part of MapSession as there is a potential risk involved with this (https://neilmadden.blog/2018/08/30/moving-away-from-uuids/).

To mitigate this risk, I am trying to overwrite the session-id generated through framework as follows taking the idea from (https://stackoverflow.com/questions/48353967/how-to-modify-or-custom-sessionid-in-spring-session-project):

`
@EnableSpringHttpSession
public class CustomSessionRepository implements SessionRepository {

        private Integer defaultMaxInactiveInterval;
        private  Map<String, Session> sessions = new ConcurrentHashMap<>();

        public CustomSessionRepository() {
             this.sessions = sessions;
        }

        public void setDefaultMaxInactiveInterval(int defaultMaxInactiveInterval) {
             this.defaultMaxInactiveInterval = defaultMaxInactiveInterval;
        }
   
        public void save(MapSession session) {
            if (!session.getId().equals(session.getOriginalId())) {
                this.sessions.remove(session.getOriginalId());
           }

          this.sessions.put(session.getId(), new MapSession(session));
        }

        public MapSession findById(String id) {
             Session saved = (Session)this.sessions.get(id);
             if (saved == null) {
                 return null;
             } else if (saved.isExpired()) {
                  this.deleteById(saved.getId());
                  return null;
             } else {
                 return new MapSession(saved);
             }
        }

        public void deleteById(String id) {
            this.sessions.remove(id);
        }

       public MapSession createSession() {
           MapSession result = new MapSession(myCustomId());
           if (this.defaultMaxInactiveInterval != null) {
              result.setMaxInactiveInterval(Duration.ofSeconds((long)this.defaultMaxInactiveInterval));
         }

       return result;
     }
   }

`

But this is not working. Now the session is not getting persisted to Redis. I cannot understand what I am missing here.

In this context, I have gone through this: #1406, but did not get a concrete idea. I have posted a question in SO also in this regard: https://stackoverflow.com/questions/62897170/how-to-instantiate-org-springframework-session-mapsession-in-my-spring-boot-appl

Could anyone please help me to fix this? Thanks.

[PvanHengel]

Hi where do we stand on this enhancement, our security team feels that the session ids being generated are not random enough (eg long enough), and would like a way to modify it. Does anyone know if there is an alternative and/or how we can get this PR updated and merged in?

[marcusdacoregio]

Hi @PvanHengel, I am planning on getting this done for the 3.1 release.

[marcusdacoregio]

Closing in favor of #2286