SessionManagementFilter
The SessionManagementFilter is part of the Dynamic Session Management Engine, also called Dynamic Session Engine or Dynamic Session Management. With the Dynamic Session Engine, the creation and handling of sessions happens on filter chain level. Thus, it is possible to set different session management rules for different applications and/or types of user requests. This leads to a more flexible way of session handling and makes it possible to deal with certain undesirable Web2.0 patterns such as unnecessary background requests and updates. For more information on the Dynamic Session Management Engine, see the chapter Dynamic Session Management Engine.
If a session is needed, it is the SessionManagementFilter that defines the method of session binding (mostly by means of cookies) and creates as well as handles the session. Session store servlets are responsible for storing and loading the session data.
Depending on the required storage technology, the SessionManagementFilter calls for a different session store servlet. Currently, nevisProxy supports:
- the local storage of a session via the LocalSessionStoreServlet;
- the remote session storage in a MariaDB database by means of the MySQLSessionStoreServlet;
- and the combination of a local and a remote storage with the MultiLevelSessionStoreServlet.
To reduce the risk of unintended session overwrite, the SessionManagementFilter utilizes a mutex mechanism. On the parameter level, nevisProxy checks whether a faster request within the same session has already updated the parameter in the session store. If this is the case, the slower request does not overwrite the data.
ch::nevis::nevisproxy::filter::session::SessionManagementFilter
libNPSessionFilters.so.1
Configuration
Servlet
Type: string
Usage Constraints: required
Sets the session store servlet that stores the session data. The SessionManagementFilter uses the name of the session store servlet to contact the session store.
Identification
Type: enum
Possible values: cookie
, custom
Usage Constraints: required
Defines the method of session binding. Depending on the session type, you may have to set other parameters.
MaxInactiveInterval
Type: integer
Unit: seconds
Usage Constraints: optional
Use this parameter to override the MaxInactiveInterval parameter in the SessionStoreServlet. This allows you to flexibly change the timeout for different locations. Be aware that this timeout can be overwritten by:
- the IdentityCreationFilter via the parameter InactiveInterval
- the LuaFilter via the expression
session:setInactiveTimeout(timeout)
- nevisAuth, for specific sessions
MaxLifetime
Type: integer
Unit: seconds
Usage Constraints: optional
You can use this parameter to override the maximum lifetime of the session set in the underlying servlet. This allows you to flexibly change the timeout for different locations. Be aware that this timeout can be overwritten by:
- the IdentityCreationFilter via the parameter MaxLifetime
- the SecurityRoleFilter via the parameter MaxLifetime, and
- the LuaFilter via the session object method
session:setMaxLifetime(timeout)
UpdateTimeStamp
Type: boolean
Usage Constraints: optional, conditional
Supported Pragmas: break only, no continue
Default: true
Sets whether to update the time stamp of the session. The time stamp is updated when we read the session, provided that UpdateTimeStamp
is true and the number of seconds configured by UpdateTimeStampMinInterval
have passed since the last update.
UpdateTimeStampMinInterval
Type: integer
Unit: seconds
Range: min: 0
, max: 3600
Usage Constraints: optional
Default: 60
This parameter sets the minimum time interval between two updates of the session timestamp, in seconds. If the parameter is set to "0", the system will update the session timestamp each time a request accesses a session.
Be aware that in a worst case scenario the maximum inactive timeout may be reduced by the value you configure here. For example if you have an inactive timeout of 10 minutes and an UpdateTimeStampMinInterval
of 1 minute the real inactive interval will be between 9 and 10 minutes.
If the UpdateTimeStampMinInterval
is bigger than the configured MaxInactiveInterval
, the session time stamp is never updated again and the session is invalidated when MaxInactiveInterval
seconds passed since the last timestamp update.
Therefore make sure that the UpdateTimeStampMinInterval
is always less than the minimal inactive interval that can be set.
Validation.Rules
Type: new-line separated list of rules
Usage Constraints: optional, conditional
Syntax: AUTH|ENV|CONST|PARAM|HEADER:<attribute_name>:block|invalidate|reauth
Configures a set of rules on which attributes must not change in the same session.
- block: The request will be blocked and 403 (Forbidden) will be returned.
- invalidate: The session will be invalidated and a new one will be created.
- reauth: The session is reauthenticated with an IdentityCreationFilter. When there are multiple filters capable of invoking the reauthentication, only the first one is triggered.
ForcedParameterNames
Type: new-line separated list of parameter names
Usage Constraints: optional, experimental
This parameter defines the names of the attribute stored into a session, regardless of whether another instance modified the same attribute in the meantime.
Cookie.Name
Type: string
Usage Constraints: required for cookie identification
Sets the name of the cookie that is sent to the client.
Cookie.HttpOnly
Type: boolean
Usage Constraints: optional
Default: true
Secure default: true
Sets whether to send the cookie as HttpOnly to the client.
Cookie.Domain
Type: string
Usage Constraints: optional
Sets the domain of the cookie that is sent to the client.
Cookie.Path
Type: string
Usage Constraints: optional
Default: /
Sets the path of the cookie that is sent to the client.
Cookie.Secure
Type: boolean
Usage Constraints: optional
Default: true
Secure default: true
Sets whether the cookie has a secure flag.
Cookie.ExtraAttributes
Type: new-line separated list
Usage Constraints: optional
Syntax: <name>[:<value>]
Makes it possible to add extra cookie attributes.
Cookie.Persistent
Type: boolean
Usage Constraints: optional
Default: false
If this attribute is set to true
, the Expires
and Max-Age
parameters will be set for the session cookie.
Cookie.OnInvalid
Type: integer
Usage Constraints: optional, advanced, conditional
Supported Pragmas: break only, no continue
Defines a status code, which will be sent if a session cookie does not point to a valid session. If you have two locations, an active location and a passive location and switch from the active to the passive location, a huge amount of requests will then arrive and all will get an anonymous session as soon as they trigger the login process. This can then lead to a session store overflow.
If you map en ErrorFilter between this filter and the frontend, you have to set propagateHeader of the ErrorFilter to true
, otherwise you risk that the invalid cookie will never be removed and no login is possible anymore.
Cookie.KeepOldCookieTimeout
Type: integer
Range: min: 0, max: 10
Usage Constraints: optional
Configures the number of seconds that a cookie is to be valid after renegotiated with a new one, for example, due to a successful login. Increasing the value can help minimize the chance of session loss during a login or step-up with parallel request.
Custom.RequiredIdentifiers
Type: string
Usage Constraints: required for custom identification
Syntax: <SRC>:<VAR>[;<SRC>:<VAR>...]..
List of attributes needed to calculate the Hash for the Session ID. Source can be: AUTH|ENV|CONST|PARAM|HEADER
.
Custom.OptionalIdentifiers
Type: string
Usage Constraints: optional, advanced
Syntax: <SRC>:<VAR>[;<SRC>:<VAR>...]..
List of attributes needed to calculate the Hash for the Session ID. Source can be: AUTH|ENV|CONST|PARAM|HEADER
Custom.IdentifierViolationPolicy
Type: enum
Possible values: abort
, skip
, response
Usage Constraints: advanced
Default: abort
Defines what to do if at least one of the Custom.RequiredIdentifiers is missing:
- Abort: Abort the request and return an error code.
- Skip: Skip the calculation of the HashKey and continue without a custom session.
- Response: Wait for the response of the backend to build the identifier, if not all identifiers have been found before calling the backend.
Custom.BindToParentSession
Type: boolean
Usage Constraints: optional
Default: false
If set to true, the custom session will be bound to the parent session. It means, that if the parent session is invalidated, all custom sessions bound to it will be invalidated as well. However, a child session can be invalidated independently of the parent session. If no parent session can be found, a new parent session will be created.
Custom.BindToParentSession.MaxSessionsPerParent
Type: integer
Usage Constraints: optional, advanced, min: 1
, max: 100
Defines the maximal number of custom sessions that the parent may have. If the limit is reached, the oldest (by access time) will be invalidated. Be aware that if you set the limit to more than 10, the performance may decrease. So you better configure custom sessions with a low inactive timeout.
Will only be evaluated if Custom.BindToParentSession is true
.
Custom.BindToParentSession.InheritSessionAttributes
Type: boolean
Usage Constraints: optional, advanced
Default: false
If set to true, the custom session will inherit the attributes from the parent session but will save changes in its own session.
Will only be evaluated if Custom.BindToParentSession is true
.
Custom-based SessionManagementFilter
The sample below shows a SessionManagementFilter that applies custom identification. It creates or retrieves a session using the ID specified in the header field User-Session-Id:
<filter>
<filter-name>CustomBasedSessionManagementFilter</filter-name>
<filter-class>ch::nevis::nevisproxy::filter::session::SessionManagementFilter</filter-class>
<init-param>
<param-name>Servlet</param-name>
<param-value>LocalSessionStoreServlet</param-value>
</init-param>
<init-param>
<param-name>Identification</param-name>
<param-value>Custom</param-value>
</init-param>
<init-param>
<param-name>Custom.RequiredIdentifiers</param-name>
<param-value>HEADER:User-Session-Id</param-value>
</init-param>
</filter>
Logging the session storage statistics
If you want to display session store statistics with the Dynamic Session Engine, you need to configure the bc.properties file as follows:
In the bc.properties file, set the property BC.Tracer.DebugProfile.NPReaperOp to "1":
BC.Tracer.DebugProfile.NPReaperOp=1
The system will then write statistical information about the used session store solution into the navajo.log log file. In the nevisProxy software delivery package, the above property is enabled by default. For more information on trace groups and tracing properties in the bc.properties file, see the chapter: Debugging.