2

My website is an e-commerce where users can add items to their carts. Each user has a cart even if he/she doesn't login (i.e. a guest user). I would like to identify the guest users by put some kind of key to their cookies.

I wonder if Spring Framework can handle this already?

If that is not the case, I have to implement it myself but I am not sure about the key to put in the cookies. I know about HMAC but the key need to be unique, right? What is the algorithm should I use to generate the key in this case?

asinkxcoswt
  • 2,252
  • 5
  • 29
  • 57
  • Why wouldn't you be able to use the default anonymous user for that? – M. Deinum Jul 18 '14 at 07:38
  • @M.Deinum, sorry for late response. It because I would like to persist his cart in the database, so that when he revisit the website later, the cart will still be there. Thus I need something to identify him. By the way, I am not sure what is the "default anonymous user" to Spring Framework. Does Spring already keep track of the anonymous users? thanks. – asinkxcoswt Jul 18 '14 at 08:19
  • spring-security does not write any session indicator for the AnonymousAuthenticationToken, see the org.springframework.security.web.session.SessionManagementFilter.doFilter(ServletRequest, ServletResponse, FilterChain). – Sutra Jul 30 '17 at 11:54
  • 1
    in https://stackoverflow.com/questions/51045564/how-to-manage-guest-sessions-in-spring-boot said you can force spring to add JSESSIONID and you can get JSESSIONID after this. – Amir Jun 26 '20 at 17:50

1 Answers1

1

As I have the same requirement, I wrote spring-security-guest, it uses a X-Client-Token HTTP header generated by client side to start a new session.

Sutra
  • 973
  • 12
  • 17