The login interceptor fails to obtain information from the session (session invalidation problem)

Project environment: SpringBoot + Vue

session invalidation problem

Problem Description

Or called: session inconsistency problem

Login interceptor, after successful login, information is stored in the session, but the interceptor fails to obtain information from the session

When the user enters the correct username and password, as follows

Click Login, it will prompt that the login is successful, as follows

After clicking OK, it is reasonable to jump to MainCrud, but it tells us to log in again, as follows

So I went to find the problem, the problem was in the login interceptor. Related to session.

Analyze code flow

After clicking OK, the front end will directly jump to the MyCRUD.vue page through vue-router. This page will call the user/getList request when loading, and we have configured it in the back-end login interceptor, and this request will be intercepted by login device interception, as follows

Therefore, it will enter the loginIntercepter, and in the interceptor, it will go to the session to determine whether this information exists, as follows

Let it go if it exists.

View the output:

The problem is as above, and it is found that the session at login and the session in the interceptor are not the same at all, so there is no corresponding information stored, resulting in the inability to complete the requirements in the interceptor.

reason

Principles related to session:

When calling HttpServletRequest.getSession (true) for the first time to generate a session, a sessionId will be generated, and then returned to the client and stored in a cookie. When requesting again, the sessionId will be sent to the server along with the cookie, and then the server will obtain it according to the sessionId session

When accessing the server for the first time, you will see the Set-Cookie information in the response header, which contains a JsessionID (this information will only appear in the response header when you access the server for the first time), as follows

The next time you visit the server for other requests, the session ID will be included in the cookie of the request header, so that the server can obtain the session

Summary: The session does not always exist on the server side, it depends on the cookie, so it must be allowed to receive cookies when interacting.

Solution

The reason why the error is reported is because in the front-end and back-end separation projects of Vue, it is necessary to solve the cross-domain problem. When cross-domain, we have not configured to allow receiving cookies, so we can configure it on the front-end and back-end respectively. as follows

Configure in the main.js of the front end

axios.defaults.withCredentials = true//设置发送请求时运行携带cookie信息

Configured in the addCorsMappings method of WebMvcConfig on the backend

.allowCredentials(true) //设置是否允许客户端发送cookie信息。默认是false

reference:

session principle

session failure

Session invalidation problem (annotation form)

Porting sessions across domains