Session store (v4.0)
The WebContext
is an abstraction do deal with the HTTP request and response.
To specifically deal with the session, it relies on a SessionStore
which may be available via the getSessionStore
method.
The SessionStore
has the following methods:
getOrCreateSessionId
: gets or creates the session identifier and initializes the session with it if necessary- ` get`: gets the attribute from the session
set
: sets the attribute in the sessiondestroySession
: destroys the underlying web sessiongetTrackableSession
: get the native session as a trackable object (for back-channel logout)buildFromTrackableSession
: builds a new session store from a trackable session (for back-channel logout)renewSession
: renews the native session by copying all data to a new one.
For example, the JEEContext
currently uses the JEESessionStore
which relies on the JEE session. In Play, we have a specific cache-based PlayCacheSessionStore
as well as in Knox, which has a cookie-based KnoxSessionStore
.
The ProfileStorageDecision
defines the decisions related to the profile, whether we must read it from and save it into the web session. It is used by the DefaultSecurityLogic
:
- by default, the
DefaultProfileStorageDecision
is set, which is appropriate for a web application which only uses indirect clients or direct clients - for a web application using both indirect and direct clients and mixing authentications, the
AlwaysUseSessionProfileStorageDecision
should be used.