Guide to Spring Session

Updated on March 18th, 2019

Spring Session provides an API and implementations for managing a user’s session information. In this post, we will cover features and advantages of using Spring Session in your Spring powered web application.


1. What is Spring Session?

Spring Session provides a transparent approach to resolve limitation of HTTP session. It provides central session management without being tied to container specific solution (e.g Tomcat, Jetty etc.). API provides integration with

  • HttpSession – Session API works by replacing the HttpSession with container neutral way by providing session ID in headers.
  • WebSocket – Provides the ability to keep HttpSession alive with WebSocket messages.
  • WebSession – Replacing the Spring WebFlux’s WebSession in an application container neutral way.

On a high level, Session API provides following modules.

  • Spring Session Core.
  • Session Data Redis – Support for Redis based session management.
  • JDBC Session – Relation database based session support.
  •  Hazelcast – Support for Hazelcast.

Here are benefits of using Spring Session API.

  • HttpSession – allows replacing the HttpSession in an application container (i.e. Tomcat) neutral way.
  • Clustered Sessions – API makes it trivial to support clustered sessions without being tied to an application container specific solution.
  • Multiple Browser Sessions – Spring Session supports managing multiple users’ sessions in a single browser instance (i.e. multiple authenticated accounts similar to Google).
  • RESTful APIs – Session API allows providing session ids in headers to work with RESTful APIs.


2. Spring Session with Spring Boot

Let’s create a simple Spring Boot web application to start with

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="" xmlns:xsi="http:/x/" xsi:schemaLocation="">
   <description>Demo project for Spring Boot</description>
      <relativePath />
      <!-- lookup parent from repository -->


3. Spring Boot Configuration

Let’s configure our Spring Boot application for using Session API. We will add required dependencies using pom.xml file.


3.1 Maven Dependencies

Let’s add dependencies for Spring Session. We are adding a dependency for Redis as well which work as a central storage for our session management.

	<!-- ... -->


3.2 Spring Session Configurations

Spring Boot provides first class support for session API. Once we added required dependencies, we can enable Session support by setting StoreType property using file. We are using Redis for this post, to enable Redis for session API set following property # Session store type.

Spring Boot support following store type for session API.

  • JDBC
  • Redis
  • Hazelcast
  • MongoDB

Based on the above property, Spring Boot will do several steps under the hood to enable Spring powered Session support.

  • Spring Boot create Spring Bean with name springSessionRepositoryFilter. This filter works under the hood to replace HttpSesion transparently with Spring backed session.
  • store-type property is equal to using @EnableRedisHttpSession annotation manually.

You can disable Spring Session by setting the store-type to none.


3.3 Redis Configurations

Spring Boot does several things to enable Redis support for the session management. It will automatically create a RedisConnectionFactory which connect Session API to Redis Server on localhost on port 6379. Use file to customize these configurations  #Server host
spring.redis.password=    #password
spring.redis.port=6379    #Redis server port

# Additional configurations 
server.servlet.session.timeout= # Session timeout.
spring.session.redis.flush-mode=on-save # Sessions flush mode.
spring.session.redis.namespace=spring:session # Namespace for keys used to store sessions.

This post assumes that you have already installed Redis server, and it’s up and running.


4. REST Controller

Let’s create a simple REST control for our Spring Boot application.

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

import javax.servlet.http.HttpSession;

public class SampleSessionRestController {

     * Simple Session controller which will return session ID backed by Spring Session API
     * @param session
     * @return session ID
    String uid(HttpSession session) {
        return session.getId();



4.1.Spring Security Configuration 

Let’s do a basic setup to enable default configurations for Spring Security.

public class AppSecurityConfig extends WebSecurityConfigurerAdapter {

 public void configureGlobal(AuthenticationManagerBuilder authentication) throws Exception {


 protected void configure(HttpSecurity http) throws Exception {


5. How Does Spring Session Work?

API works transparently by replacing HTTP session. Instead of using Application Server (Tomcat etc.) HttpSession, it will persist value in the Redis server (or other store type defined in the

Spring Session API will replace HttpSession value with the implementation that is backed by Redis. When Spring Security’s SecurityContextPersistenceFilter saves the SecurityContext to the HttpSession, it is then persisted into Redis. When a new HttpSession is created, Spring Session creates a cookie named SESSION in your browser that contains the id of your session.


6. TEST Application

Let’s finally test our application to make sure Session API is working as expected.

public class SpringSessionAppApplicationTests {

 private TestRestTemplate testRestTemplate;
 private String testUrl = "http://localhost:8080/";

 public void testUnauthenticated() {
  RestTemplate restTemplate = new RestTemplate();
  ResponseEntity < String > result = restTemplate.getForEntity(testUrl, String.class);
  assertEquals(HttpStatus.UNAUTHORIZED, result.getStatusCode());

 public void testSpringSessionAPI() {

  URI uri = URI.create(testUrl);
  RestTemplate restTemplate = new RestTemplate();
  ResponseEntity < String > firstResponse = firstRequest(restTemplate, uri);
  String sessionId1 = firstResponse.getBody();
  String cookie = firstResponse.getHeaders().getFirst("Set-Cookie");
  String sessionId2 = nextRequest(restTemplate, uri, cookie).getBody();


 private ResponseEntity < String > firstRequest(RestTemplate restTemplate, URI uri) {
  HttpHeaders headers = new HttpHeaders();
  headers.set("Authorization", "Basic " + Base64.getEncoder().encodeToString("admin:nimda".getBytes()));
  RequestEntity < Object > request = new RequestEntity < > (headers, HttpMethod.GET, uri);
  return, String.class);

 private ResponseEntity < String > nextRequest(RestTemplate restTemplate, URI uri,
  String cookie) {
  HttpHeaders headers = new HttpHeaders();
  headers.set("Cookie", cookie);
  RequestEntity < Object > request = new RequestEntity < > (headers, HttpMethod.GET, uri);
  return, String.class);


Let’s see what we are trying to do with our unit test case.

  • With our first unit test case, we got unauthorized status back from the controller since we never passed default username and password in the request.
  • Our second unit test case divided into two parts
    • In the first request, we passed username and password to the controller and got success response from the controller.
    • For the second request, we passed the same cookie in the request without passing username and password.
    • We compared the session id returned in both the request and found those equal.

To test it in more detail, you can also delete the explicit key in Redis. Enter the following into your terminal ensuring to replace session id with the value of your SESSION cookie

redis-cli del spring:session:sessions:session-id

If you try to visit your application, observe that we are no longer authenticated.


7. Spring Session without Spring Boot

In this section, we will quickly cover steps required to use Spring-managed Session in non Spring Boot application.


7.1 Dependencies

Before using session API, we need to update dependencies

<?xml version="1.0" encoding="UTF-8"?>
   <!-- ... -->
   <!-- se Lettuce with Spring to manage the RedisClient and the RedisClusterClient -->


7.2 Java Configuration

public class ApplicationConfig {

 public LettuceConnectionFactory connectionFactory() {
  return new LettuceConnectionFactory();
  • The @EnableRedisHttpSession annotation creates a Spring Bean with the name of springSessionRepositoryFilter that implements Filter.
  • RedisConnectionFactory connects Session API to the Redis Server.


7.3 Java Servlet Initialization

public class ServletContainerInitializer extends AbstractHttpSessionApplicationInitializer {
 public Initializer() {

Let’s look at few important points

  • We extended our ServletContainerInitializer from AbstractHttpSessionApplicationInitializer to make sure we have correct spring bean available (springSessionRepositoryFilter)
  • AbstractHttpSessionApplicationInitializer also provides a mechanism to easily make sure Spring loads our ApplicationConfig.



In this post, we covered different features and use cases for Spring Session API. This API provides a transparent way to handle session for our application which provides flexibility and power to wire up multiple applications to the same Redis instance and share authentication information.

0 0 vote
Article Rating

Java Development Journal

Hello!! Welcome to the Java Development Journal. We love to share our knowledge with our readers and love to build a thriving community.

follow me on:
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newest Most Voted
Inline Feedbacks
View all comments
Atul More
2 years ago

Very nice explanation.
Keep posting.

Java Development Journal
2 years ago
Reply to  Atul More

Happy that you liked this post. 🙂

1 year ago

Thank you very much for this code. Question: Is it mandatory to implement SpringSecurity. For testing purpose if create small app, do session.setAttribute, test from 2 InCognito browser windows, do we still need SpringSecuirty? Cant it work based on cookies/JSESSIONID like a normal Http Servlet would work where we dont implement any Security for test purpose

Java Development Journal
1 year ago
Reply to  india.utube

No, Spring security is not required but with most of the application need to have some security framework around it. Spring Session provides an API and implementations for managing a user’s session information, so you won’t be getting this without integrating Spring session with some way to store session information (like Redis)

1 year ago

Thanks for the tutorials. For using with Spring boot, do we need to install redis seperately or it gets included when we add the maven dependency “spring-session-data-redis”?

Java Development Journal
1 year ago
Reply to  Sujit

Yes, you need to install Redis separately.’spring-session-data-redis’ only provides a transparent integration to let Redis store and handle your session data.

1 year ago

Thank you so much!! I was reading some more explanation in google but doubt is not clear. Can you please clear my doubt. (1) In the above code internally user session data is storing in which Redis cache/memory or disk storage? (2) If we use @CachePut for user session data to store in Redis then session data will be stored in spring redis session or redis cache(memory/disk) or both? Is this approach is good to save user session attribute?
(3)How we will make sure multiple user login in the same browser.

Java Development Journal
1 year ago
Reply to  Bhagwati

Hello Bhagwati,

Her are the answers to your questions

    1. In this article, we are using Redis as underlying storage for the Spring session.You can use other storage options as well (e.g
    2. I am not sure what you meant by user session? @CachePut is part of Spring caching API and this is altogether different, you can use different caching API’s to store caching data.Spring session is to handle the HTTP session transparently.
    3. Read for more details
1 year ago

Nice post. and I build it with latest spring. check code here:
Hope it help

Java Development Journal
1 year ago
Reply to  EdwardG


tri tran
10 months ago


this post is really helpful for me to store my file to Redis HttpSession.

I have a question. How can I config in and how can I do to switch between Tomcat HttpSesion and Redis HttpSession in my Spring Boot application? I need this is because sometimes I need Tomcat HttpSession to store my file, sometimes I need Redis HttpSession to store my file. Please advice.

Thank you
Tri Tran

Java Development Journal
10 months ago
Reply to  tri tran

Redis is just a storage for your HTTP session and it will originally going to store your HTTP session.I am still not clear why do you want to manage the HTTP session in 2 different places? Handling it on the tomcat level will not give you the flexibility what Spring session offers you.

Would love your thoughts, please comment.x