Session Management is very crucial part for the spring security. Because if session is not managed properly, then security of data is directly impacted. When we talk about session, some points may come in mind. We need to detect time out. We need to handle concurrent session and session fixation protection. Spring security provides session-management namespace to handle all the session requirements. Here we will understand step by step.
Detect Session Timeout in Spring Security
Once the session is timeout and if someone tries to access then we need to re direct our application on any URL. Within the session management namespace, we can configure invalid-session-url.Concurrent Session Control in Spring Security
Concurrent session is that one user has more than one session at one time. Here our requirement may vary. We may have the requirement that if a user logins then at the same time no other session is allowed. By default we can open more than one session for one user. Find the concurrency-controlnamespace to control it.error-if-maximum-exceeded : If the value is true, then spring security will show error.
To listen concurrency-control, we need to add a listener in web.xml
Session Fixation Attack Protection in Spring Security
Session Fixation is allowing one person to fixate session identifier of another person. Attacker does it by sending email with query string. And hence the attacker can access the account of another person. Spring security provides the attributes to avoid the session fixation. In session-management namespace, there is an attribute session-fixation-protection that will handle session fixation.migrateSession : existing session attributes are copied on new session.
none : Original session will continue and do nothing.
newSession : creates new session
With all the configurations, find the spring security xml.
security-config.xml
No comments:
Post a Comment