[JAVA] Verification of [email protected]

I tried Spring-Session while referring to this article In particular, I wanted to do XML-based settings instead of annotations.

• I tried using Spring-Session
• Simple verification of [email protected]

Spring-session documentation

The official documentation has an example configuration in XML.

• Spring Session - HttpSession (Quick Start)

Final bean configuration

• Web.xml setting is required, so please refer to other articles to set it.

• Bean settings are based on the following blog spring-session study

• I don't know the details because it is Chinese, but there is a detailed explanation including the timing when the cookie is generated.

• I'm trying the settings in the following blog Spring-session & redis child area name sharing session

When this setting is applied

• cookieName: You can overwrite the default cookie name

• domainNamePattern: You can issue a cookie by regarding multiple domains as one domain with a regular expression.

• For example, ʻa.example.com, b.example.com becomes ʻexample.com when captured with the regular expression below.

• Verification code → Wandbox

• This means that you can share a session between multiple servers

• When searching in English, it seems good to search for "session replicate" or "session clustering".

• domainName: Specify the host name directly without using a regular expression (If domainNamePattern doesn't work, you may want to use this)

• <property name="domainName" value=".example.com"/>

    <!-- spring-Enable annotations in session-->
    <context:annotation-config/>

    <!-- Spring-Enable session management class on session side-->
    <bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration"/>
    <!--Register Redis client implementation in bean-->
    <bean class="org.springframework.data.redis.connection.lettuce.LettuceConnectionFactory"/>

    <!--Override the default cookie settings-->
    <bean class="org.springframework.session.web.http.DefaultCookieSerializer">
        <property name="cookieName" value="JSESSIONID" />

        <!--Domain name"."Start with-->
        <property name="domainName" value=".example.com"/>

        <!--Regular expression is a little unconfirmed-->
        <!-- <property name="domainNamePattern" value="^.+?\\.(\\w+\\.[a-z]+)$" /> -->    
    </bean>

Relationship between cookie and IP address

Since there was no domain in the test environment Initially, I tried to get the cookie domain only with the IP address, but it didn't work according to the standard.

Cookie standard

• RFC-2109
• Standards for the relationship between cookies and domains
• The cookie .foo.com is valid for x.foo.com
• For .com, the cookie .com is illegal because there is no "." In it.
• Or rather, the range is too large and it becomes a vulnerability called Cookie Monster

4.3.2  Rejecting Cookies

   To prevent possible security or privacy violations, a user agent
   rejects a cookie (shall not store its information) if any of the
   following is true:

   * The value for the Path attribute is not a prefix of the request-
     URI.

   * The value for the Domain attribute contains no embedded dots or
     does not start with a dot.

   * The value for the request-host does not domain-match the Domain
     attribute.

   * The request-host is a FQDN (not IP address) and has the form HD,
     where D is the value of the Domain attribute, and H is a string
     that contains one or more dots.

   Examples:

   * A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com
     would be rejected, because H is y.x and contains a dot.



Kristol & Montulli          Standards Track                     [Page 7]

RFC 2109            HTTP State Management Mechanism        February 1997


   * A Set-Cookie from request-host x.foo.com for Domain=.foo.com would
     be accepted.

   * A Set-Cookie with Domain=.com or Domain=.com., will always be
     rejected, because there is no embedded dot.

   * A Set-Cookie with Domain=ajax.com will be rejected because the
     value for Domain does not begin with a dot.

Opinions of Perl monks on cookies and IP addresses

Regarding IP address and cookie, I could only find the following description

Fully-qualified host name (FQHN) means either the fully-qualified
   domain name (FQDN) of a host (i.e., a completely specified domain
   name ending in a top-level domain such as .com or .uk), or the
   numeric Internet Protocol (IP) address of a host.  The fully
   qualified domain name is preferred; use of numeric IP addresses is
   strongly discouraged.

So, if you take a look at behavior

Cookie set to IP number?

You can set a cookie to an IP address. You just cannot wildcard it! So while -domain=>'.289.11.63.71' is invalid, ->domain=>'289.11.63.71' is not (get rid of the period before the first set of numbers).

• Using wildcard for IP addresses doesn't seem to work
• Similarly, the process of making the first half of the IP address 289.11. as a domain did not work because it was considered illegal by the browser.

Conclusion

• When sharing a session between multiple servers, it works well if you get the domain and assign the subdomain and IP
• Example) ʻa.example.comandb.example.com`
• Works with session sharing between context paths instead of server
• Because the cookie domain will be localhost
• Example) localhost: 8080 / application-a and localhost: 8080 / application-b

Sample code

• spring-session-xml