[JAVA] Break the Spring-Session session


Have you ever wanted to disconnect a particular session of your web application from the outside? "Dangerous guy found! Disconnect for the time being" Like. Moreover, without touching the Web application ... The target is a web application that uses Spring-Session and holds the session in Redis. Then simply "Erase session information from Redis" I thought. I will experiment to see if it works. If you know a smarter way, I would appreciate it if you could point it out.

Restrictions, etc.

The contents of this article have been confirmed to work in the following environments.

Prepare Redis

Docker is easy to prepare for Redis. I used this. Create a redis environment with docker-compose

$ docker-compose up -d 

So, start Redis.

Spring-Session application preparation

I can't experiment without the Spring-Session application, but I can't find a nice simple sample app. So I made a simple app and placed it below. Sprint-Session-Sample

Spring-Session-Sample behavior

1. Run the app in the downloaded or cloned directory

$ ./gradlew bootRun

If you connect to the default port of Redis (6379) and it starts up successfully

The above string will appear.

2. Access http: // localhost: 8080 /

image.png Enter a character string in each field and press the [next] button. The entered character string is displayed on the next screen that inherits the session. image.png When the session expires (default 30 minutes), the error screen transitions. image.png This state is reproduced by an external operation.

Observing and manipulating Redis

Observe what Redis items are registered to manage your session.

--Using redis-cli

$ docker exec -it [CONTAINER ID] /bin/bash
root@[CONTAINER ID]:/data# redis-cli>(Command input here)> flushall

If you access http: // localhost: 8080 / and check Redis ...> keys *
1) "spring:session:sessions:0b288446-d209-4ecc-bfc4-7adf405e68a7"
2) "spring:session:sessions:expires:0b288446-d209-4ecc-bfc4-7adf405e68a7"
3) "spring:session:expirations:1604421420000"

You can see 3 items. 0b288446-d209-4ecc-bfc4-7adf405e68a7 is the session ID of HttpSession, and the information is actually held.

1) "spring:session:sessions:0b288446-d209-4ecc-bfc4-7adf405e68a7"`

It looks like the above item. If you delete this, the session should expire!

let's try it

1. Access http: // localhost: 8080 /


2. Redis confirmation and session deletion> keys *
1) "spring:session:sessions:0b288446-d209-4ecc-bfc4-7adf405e68a7"
2) "spring:session:sessions:expires:0b288446-d209-4ecc-bfc4-7adf405e68a7"
3) "spring:session:expirations:1604421420000"

Delete session information> del spring:session:sessions:0b288446-d209-4ecc-bfc4-7adf405e68a7 
(integer) 1> keys *
1) "spring:session:sessions:expires:0b288446-d209-4ecc-bfc4-7adf405e68a7"
2) "spring:session:expirations:1604421420000"

3. Try pressing the [next] button


** You were able to forcibly disconnect the session. ** ** 2 items left> keys *
1) "spring:session:sessions:expires:0b288446-d209-4ecc-bfc4-7adf405e68a7"
2) "spring:session:expirations:1604421420000"

Since the TTL (Time to Live) is set for, you can leave it for the time being.

Recommended Posts

Break the Spring-Session session
Break through the Japanese table with MyBatis
Break long slim syntax in the middle