Giriş
5 çeşit session management yöntemi var. Bunlar
şöyle.
Long-lived access token.
Short — Medium term lived access token used to get a new access token.
Short — Medium term access token whose usage extends its expiry.
Short-lived access token.
Short-lived access token with long-lived refresh token.
invalidSessionUrl metodu
Şöyle
yaparız.
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.invalidSessionUrl("/login?invalidSession")
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.expiredUrl("/login?expired")
.sessionRegistry(sessionRegistry());
maximumSessions metodu
Şöyle
yaparız.
httpSecurity.sessionManagement().maximumSessions(1)
.maxSessionsPreventsLogin(true);
maxSessionsPreventLogin metodu
Şöyle
yaparız.
http
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.sessionRegistry(sessionRegistry)
setSessionCreationPolicy metoduBu alana atanan değer "
SecurityContext" nesnesinin yaşsam döngüsünü belirtir. Policy olarak
ALWAYS, NEVER,
STATELESS gibi değerler alabilir.
We can control exactly when our session gets created and how Spring Security will interact with it:
always – a session will always be created if one doesn't already exist
ifRequired – a session will be created only if required (default)
never – the framework will never create a session itself but it will use one if it already exists
stateless – no session will be created or used by Spring Security
STATEFULL Olursa
Always seçeneği kullanılır
STATELESS Olursa
STATELESS seçeneği kullanılır
STATELESS kullanılırsa authentication bilgisinin her istekte gelmesi gerekir.
- Form authentication için STATELESS
kullanılamaz.
- Digest Authentication için STATELESS kullanılabilir.
- JWT için STATELESS kullanılabilir.
Eğer STATELESS seçersek artık Cookie kullanılmaz. Açıklaması
şöyle
Finally, the strictest session creation option – “stateless” – is a guarantee that the application will not create any session at all.
This was introduced in Spring 3.1 and will effectively skip parts of the Spring Security filter chain – mainly the session related parts such as HttpSessionSecurityContextRepository, SessionManagementFilter, RequestCacheFilter.
These more strict control mechanisms have the direct implication that cookies are not used and so each and every request needs to be re-authenticated. This stateless architecture plays well with REST APIs and their Statelessness constraint. They also work well with authentication mechanisms such as Basic and Digest Authentication.
Authentication sonucunda SecurityContextPersistenceFilter sınıfında NullSecurityContextRepository kulanıldığı için artık Http Session'a Cookie yazılmaz. Açıklaması
şöyle
Before executing the Authentication process, Spring Security will run a filter responsible with storing the Security Context between requests – the SecurityContextPersistenceFilter. The context will be stored according to a strategy – HttpSessionSecurityContextRepository by default – which uses the HTTP Session as storage.
For the strict create-session=”stateless” attribute, this strategy will be replaced with another – NullSecurityContextRepository – and no session will be created or used to keep the context.
Örnek - ALWAYS
Şöyle
yaparız.
HttpSecurity http = ...;
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
.enableSessionUrlRewriting(true)
Örnek - NEVER
Şöyle
yaparız.
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEVER)
.and()
.authorizeRequests()
.antMatchers("/v2/api-docs").permitAll()
.antMatchers("/swagger-ui.html").permitAll()
.antMatchers("/swagger-resources").permitAll()
.antMatchers("/images").permitAll()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll();
}
Örnek - STATELESS
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
sessionFixation metodu
Her yeni giriş için yeni bir session id yaratır.
Session Fixation saldırısına karşı korur
Örnek
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.sessionFixation().migrateSession()
.sessionIds().useSecureCookie(true)
.sessionIds().sessionConcurrency(1, 1);
}
}
By default, Java generates session IDs that are based on a predictable algorithm. This can make it easier for attackers to hijack a user’s session. To prevent this, you can use a secure session ID generator that uses a random number generator and a cryptographically secure hash algorithm to generate session IDs.
In this example, we are using Spring Security to configure our session management settings. We are setting the session creation policy to STATELESS to prevent the server from creating a session for each user. We are also enabling session fixation protection by calling the migrateSession() method, which ensures that a new session ID is generated each time a user logs in. Finally, we are setting the useSecureCookie flag to true to ensure that session cookies are transmitted over a secure HTTPS connection.
sessionConcurrency metodu
Örnek
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.sessionFixation().migrateSession()
.sessionIds().useSecureCookie(true)
.sessionIds().sessionConcurrency(1, 1)
.invalidSessionUrl("/login?expired=true")
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.expiredUrl("/login?expired=true");
}
}
In this example, we are using Spring Security to set a maximum session limit of one, which means that if a user logs in from a different device or browser, their original session will be invalidated. We are also setting the maxSessionsPreventsLogin flag to true, which means that if a user reaches their maximum session limit, they will be prevented from logging in from any other device or browser until they log out from their original session.
By using these secure session management techniques, you can help protect user sessions from attacks like session hijacking or session fixation. It’s important to choose a session management strategy that meets the specific needs of your application and to thoroughly test your session management implementation for vulnerabilities.
setSessionRegistry metoduSessionRegistry yazısına taşıdım