JCH
Java Community | Help. Code. Learn.2y ago
Crain

Hashing Cookies in Redis (Spring)

Hello! I'm looking into Spring Session /w Redis for Persistent HTTP Sessions, however when testing locally I'm seeing that the HTTP Session ID is stored in the Redis Cache, and Spring Default Cookie appears to be a base64 encoded string of that Session ID. Is there a way for me to Hash the ID before it's put in? That way if our Redis Cache leaks, we don't allow hackers to steal cookies? (We could IP check, but I'd rather do both tbh, instead of just one) Ideally with a Spring Property, or a simple Spring bean would be best.
7 Replies
JavaBot
JavaBot2y ago
This post has been reserved for your question.
Hey @Crain! Please use /close or the Close Post button above when you're finished. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.
TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
Crain
CrainOP2y ago
Hmm, maybe then it might be better to do partial integration, so instead of Spring Session /w Redis, integration as part of the Session Chain. Pseudo Flow 
if session in Spring and session_hash in redis:
   continue
elif session in Spring and session_hash not in redis:
   pushHashToRedis(session) #Honestly could be skipped, just assume hash is in Redis if Spring has it
elif session not in Spring and session_hash in redis:
   populateFromRedis()
elif session not in Spring and session_hash not in redis:
   authenticationUser()
if session in Spring and session_hash in redis:
   continue
elif session in Spring and session_hash not in redis:
   pushHashToRedis(session) #Honestly could be skipped, just assume hash is in Redis if Spring has it
elif session not in Spring and session_hash in redis:
   populateFromRedis()
elif session not in Spring and session_hash not in redis:
   authenticationUser()
It does increase the complexity, but the main idea is that when we swap the users to different JVMs the session persists, and it avoids redis being able to leak cookies, since we're just storing an indirect hash.
Unknown User
Unknown User2y ago
Message Not Public
Sign In & Join Server To View
JavaBot
JavaBot2y ago
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one.
Crain
CrainOP2y ago
Sounds good
JavaBot
JavaBot2y ago
Post Closed
This post has been closed by <@190262684082503680>.
Want results from more Discord servers?
Add your server