1, Session timeout
-
Configure the session timeout, which is 30 minutes by default, but the session timeout in Spring Boot is at least 60 seconds. After the session timeout, jump to the login page by default
#session settings #Configure session timeout server.servlet.session.timeout=60
-
Customize the address after session timeout, set session management and jump address after failure
http.sessionManagement() //Setting up session management .invalidSessionUrl("/toLoginPage") // Invalid jump page. The default is login page .expiredUrl("/toLoginPage");//Set the jump path after the session expires
2, Concurrency control
Concurrency control refers to the number of simultaneous logins of the same account. If the number of simultaneous logins of the same account is set to 1, it means that the account can only have one valid login at the same time. If the same account logs in elsewhere, the last login session will be expired, that is, the subsequent login will kick out the previous login
-
Set the maximum number of sessions
http.sessionManagement() //Setting up session management .invalidSessionUrl("/toLoginPage") // Invalid jump page. The default is login page .maximumSessions(1) //Set the maximum number of sessions. There can only be one session at a time .maxSessionsPreventsLogin(false)//Block login when the maximum number of sessions is reached .expiredUrl("/toLoginPage");//Set the jump path after the session expires
-
Prevent users from logging in a second time
http.sessionManagement() //Setting up session management .invalidSessionUrl("/toLoginPage") // Invalid jump page. The default is login page .maximumSessions(1) //Set the maximum number of sessions. There can only be one session at a time .maxSessionsPreventsLogin(true)//Block login when the maximum number of sessions is reached .expiredUrl("/toLoginPage");//Set the jump path after the session expires
3, Session cluster
In the actual scenario, a service will have at least two servers providing services, and there will be an nginx in front of the server for load balancing. Users access nginx, and then nginx decides which server to access. When a service goes down, another server can continue to provide services to ensure uninterrupted service. If we save the session in a Web container (such as tomcat), if a user needs to log in when the first access is assigned to server 1, when some access is suddenly assigned to server 2, because there is no session information for the user to log in to server 1 on server 2, server 2 will let the user log in again, The user is already logged in, but it doesn't feel normal to log in
The idea to solve this problem is that the session information logged in by the user can no longer be saved to the Web server, but to a separate library (redis, mongodb, jdbc, etc.). All servers access the same library and obtain the user's session information from the same library. For example, the user logs in on the server and saves the session information to the library, The user's next request is assigned to server 2. Server 2 checks whether the session already exists from the library. If it exists, you don't need to log in and can directly access the service.
#Sharing session s using redis spring.session.store-type=redis
4, Cross domain and CORS
Cross domain is essentially a protection process of the browser. If a cross domain occurs, the server will be intercepted by the browser when returning the result (Note: the request can be initiated normally, but the browser intercepts it), resulting in the unavailability of the response content. Several cases of cross domain are as follows:
Solve cross domain
-
JSONP
- The browser allows some tags with src attribute to cross domain, that is, writing the url address on the src attribute of some tags will not cause cross domain problems
-
CORS solves cross domain
- CORS is a W3C standard, whose full name is "cross origin resource sharing". CORS requires both browser and server support. At present, all browsers support this function, and IE browser cannot be lower than IE10. Before initiating a real request, the browser will initiate a pre check request of OPTIONS type to request whether the server allows cross domain. The request will be initiated only when it is licensed
CORS support based on Spring Security
-
Declare cross domain configuration sources
/** * Cross domain configuration information source * * @return */ public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration corsConfiguration = new CorsConfiguration(); // Set sites that allow cross domain corsConfiguration.addAllowedOrigin("*"); // Set the allowed cross domain http method corsConfiguration.addAllowedMethod("*"); // Set request headers that allow cross domain corsConfiguration.addAllowedHeader("*"); // Voucher allowed corsConfiguration.setAllowCredentials(true); // Effective for all URLs UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", corsConfiguration); return source; }
-
Turn on cross domain support
//Allow cross domain http.cors().configurationSource(corsConfigurationSource());