Skip to content

SessionRegistryImpl is not aware of SessionIdChange events. #5438

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
aj-jaswanth opened this issue Jun 13, 2018 · 2 comments
Closed

SessionRegistryImpl is not aware of SessionIdChange events. #5438

aj-jaswanth opened this issue Jun 13, 2018 · 2 comments
Assignees
@eleftherias
Labels
in: config An issue in spring-security-config type: enhancement A general enhancement
Milestone
5.4.0-M1

Comments

@aj-jaswanth
Copy link
Contributor

SessionRegistryImpl can be used to track sessions. We can register new sessions with it. When the session expires it'll be automatically removed, because it implements ApplicationListener.

However, as of Servlet spec 3.1 it is possible to change the id of the current session without invalidating it by calling Session.changeSessionId(). But, SessionRegistryImpl will not be aware of the change and continues to have the older session id. The older session id will never be removed.
@aj-jaswanth aj-jaswanth mentioned this issue Jun 13, 2018
Closed
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 7, 2019
@eleftherias eleftherias self-assigned this Oct 25, 2019
@eleftherias
Copy link
Contributor

@aj-jaswanth Please see my comments on the PR gh-5439.

@eleftherias eleftherias added in: config An issue in spring-security-config and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 4, 2019
@eleftherias
Copy link
Contributor

eleftherias commented Jan 14, 2020
edited
Loading

Use Case

Summary

When using the changeSessionId session fixation protection strategy (which is also the default) and setting the maximumSessions to 1, the expired session information is not removed from SessionRegistryImpl.

To reproduce this, while running in debug, log in using one tab and then log in with the same user in a different tab.
Check the sessionIds list in SessionRegistryImpl.

Actual Behavior

Both the current session ID and the previously expired session ID are in the sessionIds list.

Expected Behavior

Only the current session ID should be in the sessionIds list.

Configuration

protected void configure(HttpSecurity http) throws Exception {
	http
		.authorizeRequests(authorize -> authorize
			.anyRequest().authenticated()
		)
		.sessionManagement(management -> management
			.sessionConcurrency(concurrency -> concurrency
				.maximumSessions(1)
			)
			.sessionFixation(fixation -> fixation
				.changeSessionId()
			)
		)
		.formLogin(withDefaults());
}

@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
	return new HttpSessionEventPublisher();
}

@eleftherias eleftherias added the type: enhancement A general enhancement label Mar 6, 2020
@eleftherias eleftherias added this to the 5.4.0 milestone Mar 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eleftherias eleftherias

Labels
in: config An issue in spring-security-config type: enhancement A general enhancement
Projects
None yet
Milestone
5.4.0-M1
Development

Successfully merging a pull request may close this issue.

SessionRegistryImpl is now aware of SessionIdChangedEvent aj-jaswanth/spring-security
3 participants
@eleftherias @aj-jaswanth @spring-projects-issues