micronaut-core icon indicating copy to clipboard operation
micronaut-core copied to clipboard
verified publisher icon micronaut-projects

Send cookie once in CookieHttpSessionStrategy

Open mancze opened this issue 3 years ago • 1 comments

Feature description

In current implementation a session cookie is issued for every request for which a session exist. https://github.com/micronaut-projects/micronaut-core/blob/7de2b99be7fd0417492965639f8caa1b6f4fc3bd/session/src/main/java/io/micronaut/session/http/HttpSessionFilter.java#L154

This might be unnecessary and it potentially increases a risk of a session cookie leak in a case attacker is trying to eavesdrop session cookie. It seems reasonable to issue session cookie only once when session is established - or more like "when session (id), the request started with differs from the session (id) which is being encoded".

If "send cookie once" policy would not fit all cases then it would be helpful to make it configurable.

There is a possibility to decorate current implementation strategy by additional logic around it. However, that appears as sub-optimal as "session is expired" check should probably have priority over "did we send a cookie already" check. Better solution would be to have a built-in support for it.

mancze avatar Sep 05 '22 15:09 mancze

Can you please confirm that this is still an issue in the latest version of Micronaut?

ojebari-ma avatar May 26 '25 01:05 ojebari-ma