{"id":20138206,"url":"https://github.com/innoq/cookie-based-session-springboot-app","last_synced_at":"2025-05-06T20:33:36.504Z","repository":{"id":39593400,"uuid":"285270651","full_name":"innoq/cookie-based-session-springboot-app","owner":"innoq","description":"Sample Spring Boot app using Spring Security that stores user session information in a cookie instead of having a server-side persisted session.","archived":false,"fork":false,"pushed_at":"2021-05-15T21:08:49.000Z","size":23,"stargazers_count":24,"open_issues_count":1,"forks_count":6,"subscribers_count":14,"default_branch":"master","last_synced_at":"2024-04-14T13:58:39.905Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/innoq.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-08-05T11:40:01.000Z","updated_at":"2024-03-14T00:18:04.000Z","dependencies_parsed_at":"2022-09-15T21:41:39.061Z","dependency_job_id":null,"html_url":"https://github.com/innoq/cookie-based-session-springboot-app","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/innoq%2Fcookie-based-session-springboot-app","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/innoq%2Fcookie-based-session-springboot-app/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/innoq%2Fcookie-based-session-springboot-app/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/innoq%2Fcookie-based-session-springboot-app/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/innoq","download_url":"https://codeload.github.com/innoq/cookie-based-session-springboot-app/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224528924,"owners_count":17326448,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T21:36:27.805Z","updated_at":"2024-11-13T21:36:28.407Z","avatar_url":"https://github.com/innoq.png","language":"Java","readme":"# Cookie-based Session Spring-Boot App\n\nThis project contains a very simple spring-boot application that stores its user session \ninformation (e.g. username, roles) in a cookie instead of persisting it on the server-side. \n\n## Usage\n\nJust as any other spring-boot app it can be started as follows\n\n    mvn spring-boot:run\n    \nIt listens on port 8080 and provides the following pages\n\n* `/` - home page, requires authentication\n* `/other` - other page, requires authentication\n* `/login` - login form\n\nIt uses an in-memory authentication manager which knows exactly one set of valid credentials: \n`bob` / `builder`\n\n## Test\n\n1. open `http://localhost:8080/other`\n    * forwarded to `http://localhost:8080/login?target=/other` (login form)\n    * hidden input field `target` contains originally requested URL\n2. login with credentials\n    * forwarded to `http://localhost:8080/other` (other page)\n    * `UserInfo` cookie was set, value: `uid=bob\u0026roles=TESTER|USER\u0026hmac=...`\n3. open `http://localhost:8080/`\n    * home page is displayed (authentication still valid)\n4. logout\n    * forward to login form\n    * hidden input field `target` is empty (no URL requested)\n    * `UserInfo` cookie was deleted\n\n## Solution (brief summary)\n\nDetails can be found in the code. The `WebSecurityConfig` class is a good entry point. \n \nA more detailed description can be found in a according [blog post][].\n\n### `SessionCreationPolicy.STATELESS`\n\nSee https://docs.spring.io/spring-security/site/docs/5.3.3.RELEASE/api/org/springframework/security/config/http/SessionCreationPolicy.html#STATELESS\n\nPrevents the creation of the server-side session. CSRF is strongly coupled with the \nserver-side session so it has to be disabled as well to really activate the policy\n(see https://github.com/spring-projects/spring-security/issues/5299).  \n\n```java\n  protected void configure(HttpSecurity http) throws Exception {\n    http\n      ...\n\n      .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)\n      .and().csrf().disable()\n\n      ...\n  }\n```\n\n### `CookieSecurityContextRepository`\n\nReplaces the default `HttpSessionSecurityContextRepository` and persists the `SecurityContext` \nin a `Cookie`. \n\n```java\n  protected void configure(HttpSecurity http) throws Exception {\n    http\n      ...\n\n      .securityContext().securityContextRepository(cookieSecurityContextRepository)\n      .and().logout().permitAll().deleteCookies(UserInfoCookie.NAME)\n\n      ...\n  }\n``` \n\n### `LoginWithTargetUrlAuthenticationEntryPoint` und `RedirectToOriginalUrlAuthenticationSuccessHandler`\n\nThe default `RequestCache` is deactivated and instead the `LoginWithTargetUrlAuthenticationEntryPoint` is used to add \nthe originally requested URL to the login form request.\n\nThe `RedirectToOriginalUrlAuthenticationSuccessHandler` is used to forward the user to the originally requested URL after \na successful login.\n\n```java\n  protected void configure(HttpSecurity http) throws Exception {\n    http\n      ...\n\n      .and().requestCache().disable()\n      .exceptionHandling().authenticationEntryPoint(loginWithTargetUrlAuthenticationEntryPoint)\n\n      .and().formLogin()\n      .loginPage(LOGIN_FORM_URL)\n      .successHandler(redirectToOriginalUrlAuthenticationSuccessHandler)\n\n      ...\n  }\n```\n\n--- \n\n[blog post]: https://innoq.com/en/blog/cookie-based-spring-security-session/\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finnoq%2Fcookie-based-session-springboot-app","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finnoq%2Fcookie-based-session-springboot-app","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finnoq%2Fcookie-based-session-springboot-app/lists"}