Package org.eclipse.jetty.server.session

Class SessionHandler

  • All Implemented Interfaces:
    Handler, HandlerContainer, org.eclipse.jetty.util.component.Container, org.eclipse.jetty.util.component.Destroyable, org.eclipse.jetty.util.component.Dumpable, org.eclipse.jetty.util.component.LifeCycle
    @ManagedObject
public class SessionHandler
extends ScopedHandler
    SessionHandler.

    • Field Detail

      • __SessionCookieProperty

        public static final String __SessionCookieProperty
        Session cookie name. Defaults to JSESSIONID, but can be set with the org.eclipse.jetty.servlet.SessionCookie context init parameter.
        See Also:
        Constant Field Values

      • __SessionIdPathParameterNameProperty

        public static final String __SessionIdPathParameterNameProperty
        Session id path parameter name. Defaults to jsessionid, but can be set with the org.eclipse.jetty.servlet.SessionIdPathParameterName context init parameter. If context init param is "none", or setSessionIdPathParameterName is called with null or "none", no URL rewriting will be done.
        See Also:
        Constant Field Values

      • __SessionDomainProperty

        public static final String __SessionDomainProperty
        Session Domain. If this property is set as a ServletContext InitParam, then it is used as the domain for session cookies. If it is not set, then no domain is specified for the session cookie.
        See Also:
        Constant Field Values

      • __DefaultSessionDomain

        public static final String __DefaultSessionDomain

      • __SessionPathProperty

        public static final String __SessionPathProperty
        Session Path. If this property is set as a ServletContext InitParam, then it is used as the path for the session cookie. If it is not set, then the context path is used as the path for the cookie.
        See Also:
        Constant Field Values

      • __MaxAgeProperty

        public static final String __MaxAgeProperty
        Session Max Age. If this property is set as a ServletContext InitParam, then it is used as the max age for the session cookie. If it is not set, then a max age of -1 is used.
        See Also:
        Constant Field Values

      • SESSION_LISTENER_TYPES

        public static final Class<? extends EventListener>[] SESSION_LISTENER_TYPES

      • MAX_INACTIVE_MINUTES

        public static final BigDecimal MAX_INACTIVE_MINUTES
        Web.xml session-timeout is set in minutes, but is stored as an int in seconds by HttpSession and the sessionmanager. Thus MAX_INT is the max number of seconds that can be set, and MAX_INT/60 is the max number of minutes that you can set.

      • _dftMaxIdleSecs

        protected int _dftMaxIdleSecs
        Setting of max inactive interval for new sessions -1 means no timeout

      • _httpOnly

        protected boolean _httpOnly

      • _secureCookies

        protected boolean _secureCookies

      • _secureRequestOnly

        protected boolean _secureRequestOnly

      • _sessionCookie

        protected String _sessionCookie

      • _sessionIdPathParameterName

        protected String _sessionIdPathParameterName

      • _sessionIdPathParameterNamePrefix

        protected String _sessionIdPathParameterNamePrefix

      • _sessionDomain

        protected String _sessionDomain

      • _sessionPath

        protected String _sessionPath

      • _maxCookieAge

        protected int _maxCookieAge

      • _refreshCookieAge

        protected int _refreshCookieAge

      • _nodeIdInSessionId

        protected boolean _nodeIdInSessionId

      • _checkingRemoteSessionIdEncoding

        protected boolean _checkingRemoteSessionIdEncoding

      • _sessionComment

        protected String _sessionComment

      • _sessionTimeStats

        protected final org.eclipse.jetty.util.statistic.SampleStatistic _sessionTimeStats

      • _sessionsCreatedStats

        protected final org.eclipse.jetty.util.statistic.CounterStatistic _sessionsCreatedStats

      • _usingURLs

        protected boolean _usingURLs

      • _usingCookies

        protected boolean _usingCookies

      • _candidateSessionIdsForExpiry

        protected Set<String> _candidateSessionIdsForExpiry

      • _scheduler

        protected org.eclipse.jetty.util.thread.Scheduler _scheduler

      • _ownScheduler

        protected boolean _ownScheduler

    • Constructor Detail

      • SessionHandler

        public SessionHandler()
        Constructor.

    • Method Detail

      • getSessionPath

        @ManagedAttribute("path of the session cookie, or null for default")
public String getSessionPath()

      • getMaxCookieAge

        @ManagedAttribute("if greater the zero, the time in seconds a session cookie will last for")
public int getMaxCookieAge()

      • access

        public org.eclipse.jetty.http.HttpCookie access​(HttpSession session,
                                                boolean secure)
        Called by the SessionHandler when a session is first accessed by a request.
        Parameters:
        session - the session object
        secure - whether the request is secure or not
        Returns:
        the session cookie. If not null, this cookie should be set on the response to either migrate the session or to refresh a session cookie that may expire.
        See Also:
        complete(HttpSession)

      • addEventListener

        public void addEventListener​(EventListener listener)
        Adds an event listener for session-related events.
        Parameters:
        listener - the session event listener to add Individual SessionManagers implementations may accept arbitrary listener types, but they are expected to at least handle HttpSessionActivationListener, HttpSessionAttributeListener, HttpSessionBindingListener and HttpSessionListener.
        See Also:
        removeEventListener(EventListener)

      • complete

        public void complete​(Session session,
                     Request request)

      • getHttpOnly

        @ManagedAttribute("true if cookies use the http only flag")
public boolean getHttpOnly()
        Returns:
        true if session cookies should be HTTP-only (Microsoft extension)
        See Also:
        HttpCookie.isHttpOnly()

      • getHttpSession

        public HttpSession getHttpSession​(String extendedId)
        Returns the HttpSession with the given session id
        Parameters:
        extendedId - the session id
        Returns:
        the HttpSession with the corresponding id or null if no session with the given id exists

      • getSessionIdManager

        @ManagedAttribute("Session ID Manager")
public SessionIdManager getSessionIdManager()
        Gets the cross context session id manager
        Returns:
        the session id manager

      • getMaxInactiveInterval

        @ManagedAttribute("default maximum time a session may be idle for (in s)")
public int getMaxInactiveInterval()
        Returns:
        the max period of inactivity, after which the session is invalidated, in seconds.
        See Also:
        setMaxInactiveInterval(int)

      • getRefreshCookieAge

        @ManagedAttribute("time before a session cookie is re-set (in s)")
public int getRefreshCookieAge()

      • getSecureCookies

        @ManagedAttribute("if true, secure cookie flag is set on session cookies")
public boolean getSecureCookies()
        Returns:
        same as SessionCookieConfig.getSecure(). If true, session cookies are ALWAYS marked as secure. If false, a session cookie is ONLY marked as secure if _secureRequestOnly == true and it is a HTTPS request.

      • isSecureRequestOnly

        public boolean isSecureRequestOnly()
        Returns:
        true if session cookie is to be marked as secure only on HTTPS requests

      • setSecureRequestOnly

        public void setSecureRequestOnly​(boolean secureRequestOnly)
        HTTPS request. Can be overridden by setting SessionCookieConfig.setSecure(true), in which case the session cookie will be marked as secure on both HTTPS and HTTP.
        Parameters:
        secureRequestOnly - true to set Session Cookie Config as secure

      • getSessionCookie

        @ManagedAttribute("the set session cookie")
public String getSessionCookie()

      • getSessionCookie

        public org.eclipse.jetty.http.HttpCookie getSessionCookie​(HttpSession session,
                                                          String contextPath,
                                                          boolean requestIsSecure)
        A session cookie is marked as secure IFF any of the following conditions are true:
        1. SessionCookieConfig.setSecure == true
        2. SessionCookieConfig.setSecure == false && _secureRequestOnly==true && request is HTTPS
        According to SessionCookieConfig javadoc, case 1 can be used when: "... even though the request that initiated the session came over HTTP, is to support a topology where the web container is front-ended by an SSL offloading load balancer. In this case, the traffic between the client and the load balancer will be over HTTPS, whereas the traffic between the load balancer and the web container will be over HTTP."

        For case 2, you can use _secureRequestOnly to determine if you want the Servlet Spec 3.0 default behavior when SessionCookieConfig.setSecure==false, which is: "they shall be marked as secure only if the request that initiated the corresponding session was also secure"

        The default for _secureRequestOnly is true, which gives the above behavior. If you set it to false, then a session cookie is NEVER marked as secure, even if the initiating request was secure.

        Parameters:
        session - the session to which the cookie should refer.
        contextPath - the context to which the cookie should be linked. The client will only send the cookie value when requesting resources under this path.
        requestIsSecure - whether the client is accessing the server over a secure protocol (i.e. HTTPS).
        Returns:
        if this SessionManager uses cookies, then this method will return a new cookie object that should be set on the client in order to link future HTTP requests with the session. If cookies are not in use, this method returns null.

      • getSessionDomain

        @ManagedAttribute("domain of the session cookie, or null for the default")
public String getSessionDomain()

      • getSessionsCreated

        @ManagedAttribute("number of sessions created by this node")
public int getSessionsCreated()

      • getSessionIdPathParameterName

        @ManagedAttribute("name of use for URL session tracking")
public String getSessionIdPathParameterName()
        Returns:
        the URL path parameter name for session id URL rewriting, by default "jsessionid".
        See Also:
        setSessionIdPathParameterName(String)

      • isUsingCookies

        public boolean isUsingCookies()
        Returns:
        whether the session management is handled via cookies.

      • isValid

        public boolean isValid​(HttpSession session)
        Parameters:
        session - the session to test for validity
        Returns:
        whether the given session is valid, that is, it has not been invalidated.

      • getId

        public String getId​(HttpSession session)
        Parameters:
        session - the session object
        Returns:
        the unique id of the session within the cluster (without a node id extension)
        See Also:
        getExtendedId(HttpSession)

      • getExtendedId

        public String getExtendedId​(HttpSession session)
        Parameters:
        session - the session object
        Returns:
        the unique id of the session within the cluster, extended with an optional node id.
        See Also:
        getId(HttpSession)

      • newHttpSession

        public HttpSession newHttpSession​(HttpServletRequest request)
        Creates a new HttpSession.
        Parameters:
        request - the HttpServletRequest containing the requested session id
        Returns:
        the new HttpSession

      • removeEventListener

        public void removeEventListener​(EventListener listener)
        Removes an event listener for for session-related events.
        Parameters:
        listener - the session event listener to remove
        See Also:
        addEventListener(EventListener)

      • statsReset

        @ManagedOperation(value="reset statistics",
                  impact="ACTION")
public void statsReset()
        Reset statistics values

      • setHttpOnly

        public void setHttpOnly​(boolean httpOnly)
        Parameters:
        httpOnly - The httpOnly to set.

      • setSessionIdManager

        public void setSessionIdManager​(SessionIdManager metaManager)
        Parameters:
        metaManager - The metaManager used for cross context session management.

      • setMaxInactiveInterval

        public void setMaxInactiveInterval​(int seconds)
        Sets the max period of inactivity, after which the session is invalidated, in seconds.
        Parameters:
        seconds - the max inactivity period, in seconds.
        See Also:
        getMaxInactiveInterval()

      • setRefreshCookieAge

        public void setRefreshCookieAge​(int ageInSeconds)

      • setSessionCookie

        public void setSessionCookie​(String cookieName)

      • setUsingCookies

        public void setUsingCookies​(boolean usingCookies)
        Parameters:
        usingCookies - The usingCookies to set.

      • getSession

        public Session getSession​(String id)
        Get a known existing session
        Parameters:
        id - The session ID stripped of any worker name.
        Returns:
        A Session or null if none exists.

      • shutdownSessions

        protected void shutdownSessions()
                         throws Exception
        Prepare sessions for session manager shutdown
        Throws:
        Exception - if unable to shutdown sesssions

      • getSessionCache

        public SessionCache getSessionCache()
        Returns:
        the session store

      • setSessionCache

        public void setSessionCache​(SessionCache cache)
        Parameters:
        cache - the session store to use

      • isNodeIdInSessionId

        public boolean isNodeIdInSessionId()
        Returns:
        true if the cluster node id (worker id) is returned as part of the session id by HttpSession.getId(). Default is false.

      • setNodeIdInSessionId

        public void setNodeIdInSessionId​(boolean nodeIdInSessionId)
        Parameters:
        nodeIdInSessionId - true if the cluster node id (worker id) will be returned as part of the session id by HttpSession.getId(). Default is false.

      • getSessionTimeMax

        @ManagedAttribute("maximum amount of time sessions have remained active (in s)")
public long getSessionTimeMax()
        Returns:
        maximum amount of time session remained valid

      • setSessionTrackingModes

        public void setSessionTrackingModes​(Set<SessionTrackingMode> sessionTrackingModes)

      • isUsingURLs

        public boolean isUsingURLs()
        Returns:
        whether the session management is handled via URLs.

      • getSessionTimeTotal

        @ManagedAttribute("total time sessions have remained valid")
public long getSessionTimeTotal()
        Returns:
        total amount of time all sessions remained valid

      • getSessionTimeMean

        @ManagedAttribute("mean time sessions remain valid (in s)")
public double getSessionTimeMean()
        Returns:
        mean amount of time session remained valid

      • getSessionTimeStdDev

        @ManagedAttribute("standard deviation a session remained valid (in s)")
public double getSessionTimeStdDev()
        Returns:
        standard deviation of amount of time session remained valid

      • isCheckingRemoteSessionIdEncoding

        @ManagedAttribute("check remote session id encoding")
public boolean isCheckingRemoteSessionIdEncoding()
        Returns:
        True if absolute URLs are check for remoteness before being session encoded.

      • setCheckingRemoteSessionIdEncoding

        public void setCheckingRemoteSessionIdEncoding​(boolean remote)
        Parameters:
        remote - True if absolute URLs are check for remoteness before being session encoded.

      • renewSessionId

        public void renewSessionId​(String oldId,
                           String oldExtendedId,
                           String newId,
                           String newExtendedId)
        Change the existing session id.
        Parameters:
        oldId - the old session id
        oldExtendedId - the session id including worker suffix
        newId - the new session id
        newExtendedId - the new session id including worker suffix

      • invalidate

        public void invalidate​(String id)
        Called when a session has expired.
        Parameters:
        id - the id to invalidate

      • scavenge

        public void scavenge()
        Called periodically by the HouseKeeper to handle the list of sessions that have expired since the last call to scavenge.

      • sessionInactivityTimerExpired

        public void sessionInactivityTimerExpired​(Session session)
        Each session has a timer that is configured to go off when either the session has not been accessed for a configurable amount of time, or the session itself has passed its expiry.
        Parameters:
        session - the session

      • isIdInUse

        public boolean isIdInUse​(String id)
                  throws Exception
        Check if id is in use by this context
        Parameters:
        id - identity of session to check
        Returns:
        true if this manager knows about this id
        Throws:
        Exception - if any error occurred

      • getScheduler

        public org.eclipse.jetty.util.thread.Scheduler getScheduler()

      • doSessionAttributeListeners

        public void doSessionAttributeListeners​(Session session,
                                        String name,
                                        Object old,
                                        Object value)

      • checkRequestedSessionId

        protected void checkRequestedSessionId​(Request baseRequest,
                                       HttpServletRequest request)
        Look for a requested session ID in cookies and URI parameters
        Parameters:
        baseRequest - the request to check
        request - the request to check

      • toString

        public String toString()
        Overrides:
        toString in class org.eclipse.jetty.util.component.AbstractLifeCycle
        See Also:
        Object.toString()