You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Session keys are stored as cookies in the browser and within a backend store like redis to hold the concrete session data.
Problem description
Using spring session in a "normal" production environment seperate the sessions within the cookies by hostname and/or (tomcat)-context, so no session data is merged within the backend.
This is especially important, if the session contains serialized binary data (i.e. instances of classes), because the deserialization may throw a ClassNotFoundException if a second app using the same session key may not know the serialized class.
However, on a developer machine, it is "normal", that serveral apps are started on the same host (i.e. localhost) using different ports but the same root context. This is even more true when using spring-boot, because it is easy to start serveral webapps up by mvn spring-boot:run so that they run on localhost with different ports.
This results in merging the sessions because all cookies will be registered on host "localhost" with contextPath "/".
Requirement
It would be helpful, if it is possible to configure application specific session keys to avoid session merging.
Of course, this could be done by using the session selector parameter (__s=key), but this is not process safe because the developer hat to do this by hand.
Possible solution alternatives
There are serveral ways to implement this feature:
Use a fixed session selector per app. The current implementation uses the last one found if no selector is given. Fixing this to a static selector may separate the sessions
Make the session key configurable in the Session class. This could be done by a key-prefix/suffix
Make session serialization configurable by a prefix/suffix.
The text was updated successfully, but these errors were encountered:
Session keys are stored as cookies in the browser and within a backend store like redis to hold the concrete session data.
Problem description
Using spring session in a "normal" production environment seperate the sessions within the cookies by hostname and/or (tomcat)-context, so no session data is merged within the backend.
This is especially important, if the session contains serialized binary data (i.e. instances of classes), because the deserialization may throw a ClassNotFoundException if a second app using the same session key may not know the serialized class.
However, on a developer machine, it is "normal", that serveral apps are started on the same host (i.e. localhost) using different ports but the same root context. This is even more true when using spring-boot, because it is easy to start serveral webapps up by mvn spring-boot:run so that they run on localhost with different ports.
This results in merging the sessions because all cookies will be registered on host "localhost" with contextPath "/".
Requirement
It would be helpful, if it is possible to configure application specific session keys to avoid session merging.
Of course, this could be done by using the session selector parameter (__s=key), but this is not process safe because the developer hat to do this by hand.
Possible solution alternatives
There are serveral ways to implement this feature:
The text was updated successfully, but these errors were encountered: