Package io.vertx.ext.web.handler

Interface SessionHandler

    • Field Detail

      • DEFAULT_SESSION_COOKIE_NAME

        static final String DEFAULT_SESSION_COOKIE_NAME
        Default name of session cookie
        See Also:
        Constant Field Values

      • DEFAULT_SESSION_COOKIE_PATH

        static final String DEFAULT_SESSION_COOKIE_PATH
        Default path of session cookie
        See Also:
        Constant Field Values

      • DEFAULT_SESSION_TIMEOUT

        static final long DEFAULT_SESSION_TIMEOUT
        Default time, in ms, that a session lasts for without being accessed before expiring.
        See Also:
        Constant Field Values

      • DEFAULT_NAG_HTTPS

        static final boolean DEFAULT_NAG_HTTPS
        Default of whether a nagging log warning should be written if the session handler is accessed over HTTP, not HTTPS
        See Also:
        Constant Field Values

      • DEFAULT_COOKIE_HTTP_ONLY_FLAG

        static final boolean DEFAULT_COOKIE_HTTP_ONLY_FLAG
        Default of whether the cookie has the HttpOnly flag set More info: https://www.owasp.org/index.php/HttpOnly
        See Also:
        Constant Field Values

      • DEFAULT_COOKIE_SECURE_FLAG

        static final boolean DEFAULT_COOKIE_SECURE_FLAG
        Default of whether the cookie has the 'secure' flag set to allow transmission over https only. More info: https://www.owasp.org/index.php/SecureFlag
        See Also:
        Constant Field Values

      • DEFAULT_SESSIONID_MIN_LENGTH

        static final int DEFAULT_SESSIONID_MIN_LENGTH
        Default min length for a session id. More info: https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
        See Also:
        Constant Field Values

      • DEFAULT_LAZY_SESSION

        static final boolean DEFAULT_LAZY_SESSION
        Default of whether the session should be created lazily.
        See Also:
        Constant Field Values

    • Method Detail

      • create

        static SessionHandler create​(SessionStore sessionStore)
        Create a session handler
        Parameters:
        sessionStore - the session store
        Returns:
        the handler

      • setSessionTimeout

        SessionHandler setSessionTimeout​(long timeout)
        Set the session timeout
        Parameters:
        timeout - the timeout, in ms.
        Returns:
        a reference to this, so the API can be used fluently

      • setNagHttps

        SessionHandler setNagHttps​(boolean nag)
        Set whether a nagging log warning should be written if the session handler is accessed over HTTP, not HTTPS
        Parameters:
        nag - true to nag
        Returns:
        a reference to this, so the API can be used fluently

      • setCookieSecureFlag

        SessionHandler setCookieSecureFlag​(boolean secure)
        Sets whether the 'secure' flag should be set for the session cookie. When set this flag instructs browsers to only send the cookie over HTTPS. Note that this will probably stop your sessions working if used without HTTPS (e.g. in development).
        Parameters:
        secure - true to set the secure flag on the cookie
        Returns:
        a reference to this, so the API can be used fluently

      • setCookieHttpOnlyFlag

        SessionHandler setCookieHttpOnlyFlag​(boolean httpOnly)
        Sets whether the 'HttpOnly' flag should be set for the session cookie. When set this flag instructs browsers to prevent Javascript access to the the cookie. Used as a line of defence against the most common XSS attacks.
        Parameters:
        httpOnly - true to set the HttpOnly flag on the cookie
        Returns:
        a reference to this, so the API can be used fluently

      • setSessionCookieName

        SessionHandler setSessionCookieName​(String sessionCookieName)
        Set the session cookie name
        Parameters:
        sessionCookieName - the session cookie name
        Returns:
        a reference to this, so the API can be used fluently

      • setSessionCookiePath

        SessionHandler setSessionCookiePath​(String sessionCookiePath)
        Set the session cookie path
        Parameters:
        sessionCookiePath - the session cookie path
        Returns:
        a reference to this, so the API can be used fluently

      • setMinLength

        SessionHandler setMinLength​(int minLength)
        Set expected session id minimum length.
        Parameters:
        minLength - the session id minimal length
        Returns:
        a reference to this, so the API can be used fluently

      • setCookieSameSite

        SessionHandler setCookieSameSite​(CookieSameSite policy)
        Set the session cookie SameSite policy to use.
        Parameters:
        policy - to use, null for no policy.
        Returns:
        a reference to this, so the API can be used fluently

      • setLazySession

        SessionHandler setLazySession​(boolean lazySession)
        Use a lazy session creation mechanism. The session will only be created when accessed from the context. Thus the session cookie is set only if the session was accessed.
        Parameters:
        lazySession - true to have a lazy session creation.
        Returns:
        a reference to this, so the API can be used fluently

      • setCookieMaxAge

        SessionHandler setCookieMaxAge​(long cookieMaxAge)
        Set a Cookie max-age to the session cookie. When doing this the Cookie will be persistent across browser restarts. This can be dangerous as closing a browser windows does not invalidate the session. For more information refer to https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#Expire_and_Max-Age_Attributes
        Parameters:
        cookieMaxAge - a non negative max-age, note that 0 means expire now.
        Returns:
        a reference to this, so the API can be used fluently

      • flush

        default Future<Void> flush​(RoutingContext ctx)
        Flush a context session earlier to the store, this will allow the end user to have full control on the event of a failure at the store level. Once a session is flushed no automatic save will be performed at end of request.
        Parameters:
        ctx - the current context
        Returns:
        a future signaled with the asynchronous response.

      • flush

        Future<Void> flush​(RoutingContext ctx,
                   boolean ignoreStatus)
        Flush a context session earlier to the store, this will allow the end user to have full control on the event of a failure at the store level. Once a session is flushed no automatic save will be performed at end of request.
        Parameters:
        ctx - the current context
        ignoreStatus - flush regardless of response status code
        Returns:
        a future signaled with the asynchronous response.

      • setCookieless

        SessionHandler setCookieless​(boolean cookieless)
        Use sessions based on url paths instead of cookies. This is an potential less safe alternative to cookies but offers an alternative when Cookies are not desired, for example, to avoid showing banners on a website due to cookie laws, or doing machine to machine operations where state is required to maintain.
        Parameters:
        cookieless - true if a cookieless session should be used
        Returns:
        a reference to this, so the API can be used fluently

      • newSession

        Session newSession​(RoutingContext context)
        Create a new session
        Parameters:
        context - the routing context
        Returns:
        the session

      • setUser

        Future<Void> setUser​(RoutingContext context,
                     User user)
        Set the user for the session
        Parameters:
        context - the routing context
        user - the user
        Returns:
        future that will be called when complete, or a failure

      • setSigningSecret

        SessionHandler setSigningSecret​(String secret)
        Set signing secret for the session cookie. The cookie will not be signed and verified by the SessionHandler if this is not set. But may be signed by the session implementation, for example, CookieSessionStore signs the cookie data.
        Parameters:
        secret - the secret used to sign the session cookie data
        Returns:
        a reference to this, so the API can be used fluently