4

I'm developing a web app using Spring Boot 2 and Gradle. I currently implemented a custom remember me mechanism (WITHOUT Spring Security), and I added also a series cookie, as described here.

Now I want to invalidate all user's session in case the token does not match. I would get all sessions of the user (a Bean that I save in "userSession" attribute). How can I do?

PS: I'm not using Spring Security.

Marco Sulla
  • 15,299
  • 14
  • 65
  • 100
  • 1
    Possible duplicate of [How can I have list of all users logged in (via spring security) my web application](https://stackoverflow.com/questions/11271449/how-can-i-have-list-of-all-users-logged-in-via-spring-security-my-web-applicat) – Nikolai Shevchenko Mar 28 '18 at 16:12
  • @NikolayShevchenko: nope, I don't use Spring Security, so no SessionRegistry. – Marco Sulla Mar 28 '18 at 16:20
  • You don't have spring security context in your app? If the security context is present - that you have Spring developer SessionRegistry and Spring security filter to determine which user send request by looking JSESSIONID from cookie. If you dont have SecurityContext - you can use some parameter for cookie encoding and decoding. And when the parameter was change you can't decode cookie file and its not valid. But it is not a good way. – Aleksandrs Rudzitis Mar 28 '18 at 20:54

2 Answers2

8

You have to create a custom HttpSession holder object that will hold active sessions that you can iterate and invalidate based on your conditions.

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;


@Configuration
public class HttpSessionConfig {

    private static final Map<String, HttpSession> sessions = new HashMap<>();

    public List<HttpSession> getActiveSessions() {
        return new ArrayList<>(sessions.values());
    }

    @Bean
    public HttpSessionListener httpSessionListener() {
        return new HttpSessionListener() {
            @Override
            public void sessionCreated(HttpSessionEvent hse) {
                sessions.put(hse.getSession().getId(), hse.getSession());
            }

            @Override
            public void sessionDestroyed(HttpSessionEvent hse) {
                sessions.remove(hse.getSession().getId());
            }
        };
    }
}
Venu Duggireddy
  • 786
  • 6
  • 9
  • This means an object with all sessions live for the lifecycle of the application. Is this not really expensive for memory? – Marco Sulla Mar 29 '18 at 11:44
  • 1
    Yes and No depends on how much data are we storing in session and a best practice is to store minimal information. The other option is use SpringSession that persist data in external systems like DB then you can get active sessions and also good for clustered servers. – Venu Duggireddy Mar 29 '18 at 11:58
  • I'd like to add the performance hit for this should negligible because you're not copying sessions, you're copying references to them. Even if each session is very large hse.getSession() is only returning the session reference. – Usman Mutawakil Oct 29 '22 at 09:41
0

There is module for that in Spring called Spring Session which can easily manage all actual sessions. Link for Spring Session documentation

To run it basically you must add dependency in pom.xml:

    <dependency>
        <groupId>org.springframework.session</groupId>
        <artifactId>spring-session-jdbc</artifactId>
    </dependency>

and add some config properties to application.properties:

spring.session.store-type=jdbc
spring.session.jdbc.initializer.enabled=true
spring.session.jdbc.schema=classpath:org/springframework/session/jdbc/schema-qlserver.sql 
spring.session.jdbc.table-name=SPRING_SESSION

In "spring.session.jdbc.schema=" you can pick your own type of DB or use a embedded one like H2. Spring will automatically create tables for sessions from inbuilt scripts where the sessions will be stored.

Witold Krzemiński
  • 23
  • 6