3

I'm implementing spring security in my project and have used mysql database to store sessions. Everything works fine but when the user logs out, its session is also deleted from the database which I do not want. I only want session to be invalidated but not deleted from the database. On debugging, I found :

    public void logout(HttpServletRequest request, HttpServletResponse response,
        Authentication authentication) {
    Assert.notNull(request, "HttpServletRequest required");
    if (invalidateHttpSession) {
        HttpSession session = request.getSession(false);
        if (session != null) {
            logger.debug("Invalidating session: " + session.getId());
            **session.invalidate();**
        }
    }

    if (clearAuthentication) {
        SecurityContext context = SecurityContextHolder.getContext();
        context.setAuthentication(null);
    }

    SecurityContextHolder.clearContext();
}

This code is from SecurityContextLogoutHandler class.

Further, the code execution goes in:

    private final class HttpSessionWrapper extends HttpSessionAdapter<S> {

        HttpSessionWrapper(S session, ServletContext servletContext) {
            super(session, servletContext);
        }

        @Override
        public void invalidate() {
            super.invalidate();
            SessionRepositoryRequestWrapper.this.requestedSessionInvalidated = true;
            setCurrentSession(null);
            clearRequestedSessionCache();
            **SessionRepositoryFilter.this.sessionRepository.deleteById(getId());**
        }

    }

The last line of the function deletes the session which I do not want.

My question is can I stop spring security from deleting sessions from the DB when user logs out or this is how spring security works?

Abhishek Tomar
  • 87
  • 1
  • 7
  • You shouldn't, as deleting the session is invalidating it. Why do you want to keep the session data in the database? So you probably have another usecase you want to fullfil, which is the actual question you should be asking. – M. Deinum Jul 27 '20 at 06:09

1 Answers1

2

Is there any specific reason why you don't want to delete session from DB once user log's out ? This is pretty much common behavior. Session is representing your logged in client. Once client log's in (provide valid credentials, password with username for example) session ID is created and sent to client. This session ID is representing valid logged in connection. On subsequent request's from this client he will only send this session ID inside header, your app will check if this session ID is stored inside valid session's (your DB for example) and if it is this request is considered authenticated (therefore client doesn't have to send his credential's which has to be verified with each request, he is only sending session ID). Once client log's out the session ID is invalidated since with logout his connection is no longer authenticated. Therefore yes this is how spring security work's, there is no need to persist invalidated session's. You would also have to implement custom mechanism for clearing session's from DB (when will be session cleared if not at time of user logout). Also you might consider to use session pool inside memory instead of DB.

Edit: i don't how spring check's valid session's in case of DB session pool but at some time it has to access DB read all session's so it can find out which session ID's are valid (i guess this is done for each after - login request at least). How could be invalidated session in your case be persisted inside database session pool when valid session's are defined by that pool at same time ?

Norbert Dopjera
  • 741
  • 5
  • 18
  • The reason I don't want to delete session from DB is because I'm saving sessions with some attributes and based on these attributes I want to show user some relevant information when he/she logs in next time like what happens in shopping websites. I don't know how these websites achieve this though. – Abhishek Tomar Jul 27 '20 at 02:51
  • Also, I agree with you that I'll have to implement custom mechanism to clear sessions from DB but I can implement it later. My motive here is to achieve what shopping websites do (show suggestions/relevant information) – Abhishek Tomar Jul 27 '20 at 03:01
  • 2
    Such information should not be stored with session. If you have your user's persisted inside DB, why not just persist these additional information to DB with relevant userID also? Next time user would like to see such attribute just fetch DB for those information's by currently logged in userID. You can simply implement this and is common way of doing such things. Website's that doesn't require login to hold additional information to connection usualy use ip:port combination to represent connection but once this connection is invalidated these information's are lost. – Norbert Dopjera Jul 27 '20 at 03:29