Session Tracking modes in Spring security

Applications maintain their state with the user using a concept called session. In this post we will see about different type of session tracking modes and how they work.

When an application authenticates a user, it can do two possible things.

  1. Forget about the user after the request is processed and user will have to authenticate for each request.
  2. Establish a stateful session with the user so that you don’t have to authenticate the users till they log out.

As you would understand, we will explore second part. To establish sessions, a spring boot application has three possible options to chose from.

HTTP Cookies

A “cookie” is a browser concept that helps the server to store arbitrary information on the user’s computer. Cookies are one of the reliable ways in which a website can remember stateful information about the user. This is mainly due to how cookies work.

Once a cookie is set on the user’s computer, each and every request will contain that cookie as a header. This header value can then be read by the servers to make use of this concept. The common use for the cookies are to store authentication cookies.

For Spring Security this is the default setting.

URL session tracking

Unlike Cookies, the URL tracking is straightforward. If you enable this mode, All url must have a mandatory query parameter for the client to send the current session-id. for example each url would look like this.

https://somedomain.com/app?JSESSIONID=23e2d23d23d2d323d2d3d2d23d

SSL session tracking

When a server is secured with SSL certificates, the client and server must do handshakes to establish secure communication. One the communication is established, what we have is potentially a TLS session between a client and server. In this TLS session, information like authentication-session-ids can be shared to the client. Every time the client sends request to the server over TLS, this session information is also cascaded.

The only catch with this mode is that the server need to be configured to listen to HTTPS. Also, this approach makes it harder to implement load balancing as most of the load balancers handle the TLS part, and the application usually runs over HTTP.

Changing session tracking mode in Spring Security

Spring boot supports all the above three implementations and by far the Cookie based approach is default and easier to implement. We can switch between each approach using the server.servlet.session.tracking-modes configuration. This configuration takes one of COOKIE,URL SSL as a value.

server.servlet.session.tracking-modes=URL

When to use which?

URL parameter based approach may work for the applications with MVC views(HTML pages). Exposing session IDs in the URL may invite security issues as plain HTTP requests will show these session ids to anyone who listens to the network. So only use this if you are using SSL. Even in SSL, the server access-logs and any intermediate proxies may be able to see the session id makes this approach less secure.

SSL implementation is robust in terms of security. However, session destruction and auto expiry are not part of TLS session variables. Thus, the servers need to handle these manually. A typical enterprise application would have a loadbalancer like nginx or f5 to provide SSL support. So this implementation goes against those standards. Adding SSL certificates to spring boot applications may be easy, but it could affect performance.

Cookie based approach is recommended in almost all cases as they are more secure compared to URL implementation and easier to implement and configure compared to SSL. Due to the nature of the cookies, they can never be shown in the URLs and are practically invisible to access if used with HTTPS. Also HttpOnly cookies are never accessible by javascript. So cross side scripting is avoided. This cannot be said to URL bases session tracking due to document.location.href.

Leave a Comment