✅ Session Management in Spring Boot
Session management in Spring Boot is about tracking user state across multiple HTTP requests — typically used for login sessions, shopping carts, etc.
🧱 1. Default Behavior (HTTP Session)
Spring Boot (with Spring MVC + Spring Security) automatically creates a HttpSession when needed. By default, sessions are stored in-memory on the server.
✅ Example:
🛡️ 2. Session with Spring Security
When Spring Security is added:
- Session is created after authentication
- User details are stored in the SecurityContext (inside session)
⚙️ 3. Session Configuration (in application.properties)
🧊 4. Session Management Strategies in Spring Security
| Strategy | Description |
|---|---|
ALWAYS |
Always create a session |
IF_REQUIRED (default) |
Create only when needed |
NEVER |
Never create a session |
STATELESS |
Do not use session at all (for REST) |
🧰 5. Distributed Session Management
For scalability, use external stores:
| Storage | How to Enable |
|---|---|
| Redis | spring-session-data-redis |
| JDBC | spring-session-jdbc |
| Hazelcast | spring-session-hazelcast |
🔒 6. Session Invalidation & Logout
✅ Best Practices
- 🔐 Use HTTPS: To protect session cookies
- 🚫 Set HttpOnly & Secure flags on cookies
- 🕒 Set a reasonable session timeout
- 🌍 Use external session store in distributed apps