HeaderHttpSessionStrategy x-auth-token is it safe?

Is it safe to use HeaderHttpSessionStrategy? one can get hold of the x-auth-token and the same session can be simulated across browsers and machines

Solution

Note that cookies themselves are in fact HTTP headers. The header named Cookie contains your cookie, which makes your concern applicable to both session strategies Spring Session provides out of the box (although cookies can be considered safer since they are domain restricted).

Ultimately, what will make both strategies safe is the use of SSL transport, i.e. HTTPS.

Single Page Application Session Managment and Spring Security Backend
Security Context with HttpSessionSecurityContextRepository always returns 403 after successful authentication, Spring Boot 3.3
What's the relationship between Keycloak SSO Session Idle Time and Spring Session Timeout?
Is store-type property in Spring Session no longer available?
Why does Spring Boot not configure Spring Session Redis?
Spring SessionRepositoryFilter is not applied to forwarded requests
Spring Websession does not encode session id while setting Cookie
Spring security - maximumSessions() - not working
Initializing RedisHttpSessionConfiguration with Spring Session Data Redis
Add session destroy event on Spring-Session with Redis
Upgrade spring boot app from 2 to 3, fail to 'Set-Cookie' on auth
springboot 3.1.3 problem with customfilter extending AbstractAuthenticationProcessingFilter
Set Spring Session Redis on production only
Does setting spring.session.store-type to 'redis' no longer provide a FindByIndexNameSessionRepository bean?
Spring Session/Redis and Oauth2 not working together
Consider defining a bean of type 'org.springframework.data.redis.connection.RedisConnectionFactory' in your configuration
Is it possible to use Spring Boot session without Redis?
How to set the provider for OAuth2ClientAuthenticationToken in Spring Authorization Server
Get the current session with spring-session
Spring authorization server authenticate for each client
Why does Spring Security 6 not create sessions when authenticating with curl and basic auth?
Spring security - Specific session creation policy per matchers
How can I increase the in memory session store to maximum
Vue/SpringBoot: Why does my JSESSIONID keeps changing
Put user in HttpSession with Spring Security default login and authenticate
No Session cookie set when using CookieServerCsrfTokenRepository
How to set absolute session timeout for a Spring Session
Getting Spring Session information from Spring Actuator
Does Spring Session REST support WebFlux Reactor applications?
notify-keyspace-events in Redis