Session, cookie and the difference between session and cookie in shiro

Keywords: Session Shiro Spring Java

I'm playing spring boot integration shiro, but I find that its session s and cookie s make me a little confused...

First of all, the difference between session and cookie is stated. In fact, session and cookie are the same thing.

By the way, sessions operated in shiro in a web project, managed sessions are essentially sessions of web http, with at least one name changed.... Don't be separated between shiro sessions and HTTP sessions, they are the same. Specific can Baidu

1. session implementation

Every time a cookie is requested, it will put session id in it, and it will also be saved in the server and the client. This way is called session, and its implementation is cookie technology. The life cycle of this cookie on the browser client is: If no expiration time is set, it means that the cookie life cycle is during the browser session. As long as the browser is closed, the cookie disappears. This lifetime is to browse the Cookie of the session, which is the session Cookie.

The following is the session settings in a custom session manager for shiro configuration:

 /**
     * session Manager
     */
    @Bean
    public DefaultWebSessionManager defaultWebSessionManager(CacheManager cacheShiroManager, GunsProperties gunsProperties) {
        // Essentially, the session of shiro operation is http web session 
        DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
        sessionManager.setCacheManager(cacheShiroManager);
        sessionManager.setSessionValidationInterval(gunsProperties.getSessionValidationInterval() * 1000);
        sessionManager.setGlobalSessionTimeout(gunsProperties.getSessionInvalidateTime() * 1000);
        sessionManager.setDeleteInvalidSessions(true);
        sessionManager.setSessionValidationSchedulerEnabled(true);
        Cookie cookie = new SimpleCookie(ShiroHttpSession.DEFAULT_SESSION_ID_NAME);
        cookie.setName("shiroCookie"); // Modify the default session name. There is no cookie life cycle for session.
            //The default is when the browser closes or when the server sets the session.
        cookie.setHttpOnly(true);
        sessionManager.setSessionIdCookie(cookie);
        return sessionManager;
    }

After using shiro to intercept the access address, you will find that in the browser's corresponding cookie list, when you see the corresponding access domain name, there is a cookie, its name is shiroCookie, which is stored in the session ID content. By default, if we don't set it, the cookie that stores the session ID of the web is called JSESSIONID. There is no life cycle set here. The default is when the browser opens. Once the browser closes, it will not be seen on the client side.

2 , cookie

The other cookies We use in our development are to store the content on the client side, and then specify the life cycle of the cookie on the client side. Of course, the content of the cookie is usually encrypted. This cookie will not exist in the server. Here is a landing-free cookie that shrio customizes to store shrio content

 /**
     * Remember the password Cookie
     */
    @Bean
    public SimpleCookie rememberMeCookie() {
        SimpleCookie simpleCookie = new SimpleCookie("rememberMe");
        simpleCookie.setHttpOnly(true);
        simpleCookie.setMaxAge(7 * 24 * 60 * 60);//7 days
        return simpleCookie;
    }

 /**
     * rememberMe Manager, cipherKey generation see {@code Base64Test.java}
     */
    @Bean
    public CookieRememberMeManager rememberMeManager(SimpleCookie rememberMeCookie) {
        CookieRememberMeManager manager = new CookieRememberMeManager();
        manager.setCipherKey(Base64.decode("Z3VucwAAAAAAAAAAAAAAAA=="));
        manager.setCookie(rememberMeCookie);
        return manager;
    }
This is mainly about shiro's rememberMe cookie. One class in Shiro implements the rememberMe function, org.apache.shiro.web.mgt.CookieRememberMeManager. At login time, the code is also simple:

UsernamePasswordToken token = new UsernamePasswordToken(username,password);
        token.setRememberMe(true);
        subject.login(token);
When the parameter RememberMe is set to true, the corresponding cookie of remenberme will be set on the client side at the time of login. Next time you visit with this cookie and visit the user linker, you don't need to login validation, but go directly to the privilege validation. The following is the complete process:

Get the principals object
 Encryption with aes through the configured key
 Decrypt the encrypted value through base64
 When the client accesses with this rememberMe cookie, it will follow the following procedure to find the remembered identity information:
Get the value of rememberMe cookie
 Base64 decoding
 Decryption using AES
 Deserialization using ObjectInputStream
 This eliminates the need to enter the authenticated interceptor and retrieves the login information directly from the cookie.

In this way, the client will see a cookie called remenberMe, the browser will be closed, and the effective time is 7 days.

 session is easy to fail and user experience is poor.

      Although cookie s are not secure, they can be encrypted.

      Cookies are also classified as permanent and temporary.

      The browser has the function of forbidding cookie s, but the general user will not set it.

     Be sure to set the expiration time, or the browser will disappear when it is closed.

When it comes to security, session security is of course a little bit higher.
 But cookie s have other scenarios. 
Reference address:  http://www.cnblogs.com/yunian/articles/5736066.html

https://www.zhihu.com/question/19786827

http://www.jianshu.com/p/4972c4d70853

Posted by ctjansen on Mon, 17 Dec 2018 20:36:04 -0800