REST API call to the application creates a user session in the application

robert.gilbert · October 25, 2024, 7:27pm

I have a Jmix 1.6 project that allows users to interact with the app via UI and also REST API.

I am now noticing that each REST API call from external app causes a new user session to be created (Viewable in my Jmix app). This session seems wasteful and remains idle and never make requests again but eventually goes away when timeout. Is this expected behavior ? Is there a way to prevent user sessions from being auto created for each REST API call ?

If this is expected behavior, then how can I control timeout specifically for these sessions ?

taimanov · November 7, 2024, 11:12am

Hello Robert

Jmix provides session scoped bean SessionData to share values across multiple requests from the same connected user. It requires an HTTP session to work, thus sessions cannot be disabled for REST API calls without overriding at least a dozen of Jmix beans. But a new session should not be created for each request.

Usually authentification occurs only once at the beginning of interaction, session id is stored in client cookies and all subsequent queries for the same client use the same session.

I’ve checked Jmix 1.6.1 and reproduced excessive sessoin creation in next scenario:

Authentification
Make request
Clear cookies/recreate client/use another client to connect
repeat from (1) or (2)

Yes, in such case orphaned HTTP sessions will remain for each request because they cannot be obtained.

In order to fix this situation, please enable cookies and make sure that JSESSIONID is stored.

If using cookies and storing JSESSIONID is not an option, you can intercept requests for REST API queries and set session max inactive interval manually. Maybe the easiest way is to use OncePerRequestFilter:

@Component
public class SessionMaxInactiveIntervalFilter extends OncePerRequestFilter {

    private final RequestMatcher notTokenRequestMatcher =
            new NegatedRequestMatcher(
                    new OrRequestMatcher(//specify requests which leave orphaned sessions
                            new AntPathRequestMatcher("/oauth/token"),
                            new AntPathRequestMatcher("/rest/**")));

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        filterChain.doFilter(request, response);
        request.getSession().setMaxInactiveInterval(60);//specify desired session expiration time
    }

    @Override
    protected boolean shouldNotFilter(HttpServletRequest request) {
        return notTokenRequestMatcher.matches(request);
    }
}

Here is an example project
j161ui.zip (459.0 KB)
using it according to getting started doc page with cookies enabled and JSESSIONID storing does not lead to new session creation per each query. It also contains described above bean for an opposite case.

UPD: alternatively jmix-sessions add-on may be added:

implementation 'io.jmix.sessions:jmix-sessions-starter'

It links a session to a token and allows maintaining a single session without enabling cookies on the client side

Regards,
Dmitry