SessionProvider (S&C Spring Security JWT Extension 0.2.2 API)

All Known Implementing Classes:

FakeSessionProvider
```
public interface SessionProvider
```
SessionProvider is used only if a JWT token is linked to a session to increase token security.

Conventional JWT tokens have an expiration date and should be renewed if the token expires. To avoid frequent re-login each time if the token expires, developers sets commonly quasi infinite expiration dates or renew tokens without any re-authentication steps. These approaches increases security risks, especially against token stealing.

So called sessions can be used to store JWT validity state and can be checked every time when a token must be renewed. In this way a token can have a shorter expiration cycle (e.g. 15 minutes) and can be revoked if it is stolen. As long as the linked session is not revoked by user or administrators, expired JWT tokens can be renewed without any (user involved) re-authentication step.

The responsibility of a SessionProvider implementation is create and store a session for a given principal (any unique user identifier like user id, user name, email address, etc.), check if given session id is valid or not, and invalidate a session if needed.

A session entry must have at least following data: session id, principal, validity flag. But a particular SessionProvider may provide or store more information in session storage.

Author:

selimok

Method Summary

All Methods Instance Methods Abstract Methods
Modifier and Type	Method and Description
`String`	`createSession(String principal)` Creates and stores a new session for given principal.
`void`	`invalidateSession(String sessionId)` Revokes given session (referenced by session id).
`boolean`	`isSessionValid(String sessionId)` Checks if the given session (referenced by session id) valid.
`void`	`refreshSession(String sessionId)` Refreshes given session (referenced by session id).
`void`	`removeSession(String sessionId)` Remove given session (referenced by session id).
`String`	`renewSession(String sessionId)` Create a new session and invalidate existing session.

- Method Detail
  - createSession
```
String createSession(String principal)
```
    Creates and stores a new session for given principal.
    
    Parameters:
    
    principal - Any unique user identifier like user id, user name, email address, etc.
    
    Returns:
    
    Unique session id of created session
  - isSessionValid
```
boolean isSessionValid(String sessionId)
```
    Checks if the given session (referenced by session id) valid.
    
    Parameters:
    
    sessionId - Unique session id.
    
    Returns:
    
    true if session is valid, false if it's revoked and not valid anymore.
  - invalidateSession
```
void invalidateSession(String sessionId)
```
    Revokes given session (referenced by session id).
    
    Parameters:
    
    sessionId - Unique session id.
  - renewSession
```
String renewSession(String sessionId)
```
    Create a new session and invalidate existing session.
    
    Parameters:
    
    sessionId - Unique session id of
    
    Returns:
    
    Newly created session id.
  - refreshSession
```
void refreshSession(String sessionId)
```
    Refreshes given session (referenced by session id). Depending on the implementation this method may refresh session related data like last touch time, ip address, agent details etc.
    
    Parameters:
    
    sessionId - Unique session id.
  - removeSession
```
void removeSession(String sessionId)
```
    Remove given session (referenced by session id).
    
    Parameters:
    
    sessionId - Unique session id.

Interface SessionProvider

Method Summary

Method Detail

createSession

isSessionValid

invalidateSession

renewSession

refreshSession

removeSession