Description
So, I'm running into this endless loop scenario when I try to access a protected resource.
I use Spring Security 4.1, Spring Session 1.2.1-BUILD-SNAPSHOT, and Spring Framework 4.1.9.
My configuration uses RememberMe functionality based on cookies.
The reason seems to be that I have two JSESSIONID (I renamed them to JSESSIONID) cookies on my computer. An old cookie and a new cookie. The old cookie has a path of /myContextPath/ and one has a path of /.
I changed the way cookies were written to support some spring websocket functionality if I remember correctly. My CookieSerializer used to have a cookie path setting of null (writing to /contextPath/) and now writes to "/".
Spring Session CookieHttpSessionStrategy reads the two cookies, but chooses the old one by default (with /contextPath/) (method: CookieHttpSessionStrategy.getSessionIds) and ignores the other one. I assume because it is more specific.
It determines that the session is invalid and then goes on to create a new one, which generates the new cookie and writes the cookie with a path of "/". It then goes into the same loop and retrieves the old one when it should be retrieving the new one
Should this be considered a mis configuration on my part? It seems like this could happen in a real world scenario quite easily (without realizing).
By the way, my filter sequence seems wrong (don't know why). Maybe this impacts. I'm not sure.
SessionRepositoryFilter
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
UsernamePasswordAuthenticationFilter
ConcurrentSessionFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
RememberMeAuthenticationFilter