[JAVA] Break the Spring-Session session
Introduction
Have you ever wanted to disconnect a particular session of your web application from the outside? "Dangerous guy found! Disconnect for the time being" Like. Moreover, without touching the Web application ... The target is a web application that uses Spring-Session and holds the session in Redis. Then simply "Erase session information from Redis" I thought. I will experiment to see if it works. If you know a smarter way, I would appreciate it if you could point it out.
Restrictions, etc.
The contents of this article have been confirmed to work in the following environments.
- java version "11.0.7" 2020-04-14 LTS
- Docker Desktop 2.2.0.5
- Windows 10 + MINGW32(git-bash) (Checking operation on Mac, I think it will work)
Prepare Redis
Docker is easy to prepare for Redis. I used this. Create a redis environment with docker-compose
$ docker-compose up -d
So, start Redis.
- Of course, you can install Redis directly on your OS.
Spring-Session application preparation
I can't experiment without the Spring-Session application, but I can't find a nice simple sample app. So I made a simple app and placed it below. Sprint-Session-Sample
Spring-Session-Sample behavior
1. Run the app in the downloaded or cloned directory
$ ./gradlew bootRun
If you connect to the default port of Redis (6379) and it starts up successfully
The above string will appear.
2. Access http: // localhost: 8080 /
Enter a character string in each field and press the [next] button.
The entered character string is displayed on the next screen that inherits the session.
When the session expires (default 30 minutes), the error screen transitions.
This state is reproduced by an external operation.
Observing and manipulating Redis
Observe what Redis items are registered to manage your session.
--Using redis-cli
$ docker exec -it [CONTAINER ID] /bin/bash
root@[CONTAINER ID]:/data# redis-cli
127.0.0.1:6379>(Command input here)
- Check the CONTAINER ID with
docker ps. First, clear Redis.
127.0.0.1:6379> flushall
If you access http: // localhost: 8080 / and check Redis ...
127.0.0.1:6379> keys *
1) "spring:session:sessions:0b288446-d209-4ecc-bfc4-7adf405e68a7"
2) "spring:session:sessions:expires:0b288446-d209-4ecc-bfc4-7adf405e68a7"
3) "spring:session:expirations:1604421420000"
You can see 3 items.
0b288446-d209-4ecc-bfc4-7adf405e68a7 is the session ID of HttpSession, and the information is actually held.
1) "spring:session:sessions:0b288446-d209-4ecc-bfc4-7adf405e68a7"`
It looks like the above item. If you delete this, the session should expire!
let's try it
1. Access http: // localhost: 8080 /
2. Redis confirmation and session deletion
127.0.0.1:6379> keys *
1) "spring:session:sessions:0b288446-d209-4ecc-bfc4-7adf405e68a7"
2) "spring:session:sessions:expires:0b288446-d209-4ecc-bfc4-7adf405e68a7"
3) "spring:session:expirations:1604421420000"
Delete session information
127.0.0.1:6379> del spring:session:sessions:0b288446-d209-4ecc-bfc4-7adf405e68a7
(integer) 1
127.0.0.1:6379> keys *
1) "spring:session:sessions:expires:0b288446-d209-4ecc-bfc4-7adf405e68a7"
2) "spring:session:expirations:1604421420000"
3. Try pressing the [next] button
** You were able to forcibly disconnect the session. ** ** 2 items left
127.0.0.1:6379> keys *
1) "spring:session:sessions:expires:0b288446-d209-4ecc-bfc4-7adf405e68a7"
2) "spring:session:expirations:1604421420000"
Since the TTL (Time to Live) is set for, you can leave it for the time being.