-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changing session id upon login with Spring (session fixation protection) #6
Comments
Hi @stojsavljevic , Thanks for the reporting. Is it possible to reproduce the issue via a test case? |
Hi @mesutcelik , As far as I can see, SpringAwareWebFilterTest does not test changing session id upon login so I wrote my test and put it in SpringAwareWebFilterTest. Here is my test case:
and test fails in last line (when comparing Hazelcast session ids) on 3.6.2 tag version of Hazelcast. Also, I checked Hazelcast's sample for integration with Spring Security (https://github.com/hazelcast/hazelcast-code-samples/tree/master/hazelcast-integration/spring-security). And I confirmed the issue. |
Hi guys,
spring security conf: |
Hi @bchupika, it might be a good idea to create a new issue for this and link this one if it's relevant. |
Hi,
I'm trying to set up session clustering with my Spring Security application.
I configured SpringAwareWebFilter, SessionListener and SessionRegistry.
Session clustering works but I am not able to set up proper session fixation protection. I want to force changing session id on login but my Hazelcast's session id never change with Hazelcast 3.6.2.
I managed to get desired behavior with version 3.4.1.
After some debugging, it seems to me that there is no appropriate code in WebFilter 3.6.2 - after successful login old session got invalidated but new session is created with old id that is cached in SessionRegistry - clusteredSessionId attribute. With 3.4.1 version there is a code that calls creation of new session by passing null as session id (so new one is generated).
I tried this on different environments: Tomcat 7 and 8, embedded Tomcat (using Spring Boot), XML config, Java config.. In general, I want to use latest stable versions of tools like Spring, Spring Boot etc.
The text was updated successfully, but these errors were encountered: