Closed
Description
Currently the session alias and the session id's are always delimited by " ". It would be nice to allow users to inject their own delimiter to work around issues caused by Tomcat 8.5 using RFC-6265 (i.e. #605)
Example Usage
This demonstrates how to migrate from a delimiter of " " to a new delimiter of "_" which is compliant with RFC 6265 and still read old cookie values.
@Bean
public CookieHttpSessionStrategy strategy() {
CookieHttpSessionStrategy strategy = new CookieHttpSessionStrategy();
strategy.setDeserializationDelimiter("_ ");
strategy.setSerializationDelimiter("_");
return strategy;
}
// necessary to ensure you can still read the value if using Tomcat 8.5
@Bean
public EmbeddedServletContainerCustomizer customizer() {
return container -> {
if (container instanceof TomcatEmbeddedServletContainerFactory) {
TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
tomcat.addContextCustomizers(context -> context.setCookieProcessor(new LegacyCookieProcessor()));
}
};
}Users should:
- Have the above code deployed for at least the length of time a session is valid. This will ensure that all new sessions are created with the new delimiter and are parsed with both the old delimiter and the new delimiter
- Ensure that something (i.e. a servlet Filter) rewrites existing cookies with the new delimiter. This is necessary because Spring Session only writes new sessions as a Cookie, so the configuration only ensures new sessions are correct.
- Afterwards, all sessions should be in the new format, so the customization to Tomcat can be removed