In my spring application, I have implemented spring security and cookie based authentication using spring session management whith redis server for storing sessions.
In my application after login the custom sessionToken is generated.
So, User1 has one sessionToken and User2 has different sessionToken.
Using cookie-editor plugin, if I copied User1 sessionToken and applied in User2 profile page, User2 changed to User1 profile which leads to security vulnerabilities. pic of cookie-editor plugin
If a basic user tries to use an admin user's session token, it should trigger a security mechanism to invalidate the session and log out the user. in my case it is the profile is changing.
for my configure method in security config class i gaeve
@Override protected void configure(HttpSecurity http) throws Exception {
// Other Configurations
// configuring session management
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
I want if User1 sessionToken is copied and applied to User2 profile using cookie editor it should be logged out instead if changing.
Do i have to change in front end(Java script, jquery)? or spring configuration side?