[JAVA] Verification of [email protected]

I tried Spring-Session while referring to this article In particular, I wanted to do XML-based settings instead of annotations.

Spring-session documentation

The official documentation has an example configuration in XML.

Final bean configuration

When this setting is applied

    <!-- spring-Enable annotations in session-->
    <context:annotation-config/>

    <!-- Spring-Enable session management class on session side-->
    <bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration"/>
    <!--Register Redis client implementation in bean-->
    <bean class="org.springframework.data.redis.connection.lettuce.LettuceConnectionFactory"/>

    <!--Override the default cookie settings-->
    <bean class="org.springframework.session.web.http.DefaultCookieSerializer">
        <property name="cookieName" value="JSESSIONID" />

        <!--Domain name"."Start with-->
        <property name="domainName" value=".example.com"/>

        <!--Regular expression is a little unconfirmed-->
        <!-- <property name="domainNamePattern" value="^.+?\\.(\\w+\\.[a-z]+)$" /> -->    
    </bean>

Relationship between cookie and IP address

Since there was no domain in the test environment Initially, I tried to get the cookie domain only with the IP address, but it didn't work according to the standard.

Cookie standard

4.3.2  Rejecting Cookies

   To prevent possible security or privacy violations, a user agent
   rejects a cookie (shall not store its information) if any of the
   following is true:

   * The value for the Path attribute is not a prefix of the request-
     URI.

   * The value for the Domain attribute contains no embedded dots or
     does not start with a dot.

   * The value for the request-host does not domain-match the Domain
     attribute.

   * The request-host is a FQDN (not IP address) and has the form HD,
     where D is the value of the Domain attribute, and H is a string
     that contains one or more dots.

   Examples:

   * A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com
     would be rejected, because H is y.x and contains a dot.



Kristol & Montulli          Standards Track                     [Page 7]

RFC 2109            HTTP State Management Mechanism        February 1997


   * A Set-Cookie from request-host x.foo.com for Domain=.foo.com would
     be accepted.

   * A Set-Cookie with Domain=.com or Domain=.com., will always be
     rejected, because there is no embedded dot.

   * A Set-Cookie with Domain=ajax.com will be rejected because the
     value for Domain does not begin with a dot.

Opinions of Perl monks on cookies and IP addresses

Regarding IP address and cookie, I could only find the following description

Fully-qualified host name (FQHN) means either the fully-qualified
   domain name (FQDN) of a host (i.e., a completely specified domain
   name ending in a top-level domain such as .com or .uk), or the
   numeric Internet Protocol (IP) address of a host.  The fully
   qualified domain name is preferred; use of numeric IP addresses is
   strongly discouraged.

So, if you take a look at behavior

Cookie set to IP number?

You can set a cookie to an IP address. You just cannot wildcard it! So while -domain=>'.289.11.63.71' is invalid, ->domain=>'289.11.63.71' is not (get rid of the period before the first set of numbers).

Conclusion

Sample code

Recommended Posts

Verification of [email protected]
12 of Array
Verification of performance impact when using Java volatile
[Verification] Comparison of Spring Boot vs Micronaut boot speed