implemented persistent sessions (not destroyed when broweser closed) – needs more work

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
1 year ago · 3e88c91154
5 changed files with 29 additions and 5 deletions
--- a/de.srsoftware.http/src/main/java/de/srsoftware/http/SessionToken.java
+++ b/de.srsoftware.http/src/main/java/de/srsoftware/http/SessionToken.java
@ -4,11 +4,21 @@ package de.srsoftware.http;
				@@ -4,11 +4,21 @@ package de.srsoftware.http;

 import com.sun.net.httpserver.Headers;
 import com.sun.net.httpserver.HttpExchange;
+
+import java.time.Instant;
+import java.time.ZoneOffset;
+import java.time.format.DateTimeFormatter;
 import java.util.Optional;


 public class SessionToken extends Cookie {
 	private final String sessionId;
+	private static final DateTimeFormatter FORMAT = DateTimeFormatter.ofPattern("MM/dd/yyyy HH:mm:ss O");
+
+	public SessionToken(String sessionId, Instant expiration){
+		super("sessionToken", "%s; Path=/api; Expires=%s".formatted(sessionId,FORMAT.format(expiration.atZone(ZoneOffset.UTC))));
+		this.sessionId = sessionId;
+	}

 	public SessionToken(String sessionId) {
 		super("sessionToken", sessionId + "; Path=/api");
@ -17,8 +27,8 @@ public class SessionToken extends Cookie {
				@@ -17,8 +27,8 @@ public class SessionToken extends Cookie {

 	@Override
 	public <T extends Cookie> T addTo(Headers headers) {
-		headers.add("session", sessionId);
-		return (T)this;	 // super.addTo(headers);
+		headers.add("session", getValue());
+		return super.addTo(headers);
 	}

 	public static Optional<SessionToken> from(HttpExchange ex) {
--- a/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/UserController.java
+++ b/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/UserController.java
@ -225,7 +225,7 @@ public class UserController extends Controller {
				@@ -225,7 +225,7 @@ public class UserController extends Controller {
 		var user = optUser.get();
 		users.updatePassword(user, newPass);
 		var session = sessions.createSession(user);
-		new SessionToken(session.id()).addTo(ex);
+		new SessionToken(session.id(),session.expiration()).addTo(ex);
 		return sendRedirect(ex, "/");
 	}

@ -266,7 +266,7 @@ public class UserController extends Controller {
				@@ -266,7 +266,7 @@ public class UserController extends Controller {
 	}

 	private boolean sendUserAndCookie(HttpExchange ex, Session session, User user) throws IOException {
-		new SessionToken(session.id()).addTo(ex);
+		new SessionToken(session.id(),session.expiration()).addTo(ex);
 		return sendContent(ex, user.map(false));
 	}

--- a/de.srsoftware.oidc.web/src/main/resources/en/login.html
+++ b/de.srsoftware.oidc.web/src/main/resources/en/login.html
@ -28,6 +28,14 @@
				@@ -28,6 +28,14 @@
                        <th>Error</th>
                        <td class="warning">Failed to log in!</td>
                    </tr>
+                    <tr>
+                        <td colspan="2">
+                            <label>
+                                <input type="checkbox" name="trust" checked="checked"/>
+                                Quit session when browser is closed.
+                            </label>
+                        </td>
+                    </tr>
                    <tr>
                        <td></td>
                        <td><button type="button" onClick="tryLogin()">Login</button></td>
--- a/de.srsoftware.oidc.web/src/main/resources/en/scripts/login.js
+++ b/de.srsoftware.oidc.web/src/main/resources/en/scripts/login.js
@ -7,8 +7,13 @@ function doRedirect(){
				@@ -7,8 +7,13 @@ function doRedirect(){
 function handleLogin(response){
    if (response.ok){ 
        response.headers.forEach(function(val, key) {
+            console.log('header: '+key+' → '+val);
            // in newer browsers, the cookie is set from fetch response. In older browsers this does not seem to work
-            if (key == 'session') document.cookie = 'sessionToken='+val+"; path=/api"
+            if (key == 'session') {
+                val = 'sessionToken='+val;
+                console.log('setting cookie: '+val);
+                document.cookie = val;
+            }
        });
       response.json().then(body => {
          hide('error');
--- a/de.srsoftware.oidc.web/src/main/resources/en/todo.html
+++ b/de.srsoftware.oidc.web/src/main/resources/en/todo.html
@ -16,6 +16,7 @@
				@@ -16,6 +16,7 @@
                <li>implement token refresh</li>
                <li>Verschlüsselung im config-File</li>
                <li>Configuration im Frontend</li>
+                <li>Process <em>quit session when browser is closed</em> input on login</li>
            </ul>
        </div>
    </body>