Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

First class WebSession change id support [SPR-15571] #20130

Closed
spring-issuemaster opened this issue May 19, 2017 · 6 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link
Collaborator

commented May 19, 2017

Rob Winch opened SPR-15571 and commented

It is critical for Spring Security to have an API that can change the WebSession's identifier to prevent things like session fixation attacks. Providing something more first class than invalidating the session and then creating a new one is ideal because in a distributed session it is better to be able to only need to update the id vs delete and then create (copying all the attributes over).


Affects: 5.0 RC1

Referenced from: commits e2ee23b

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented May 22, 2017

Rossen Stoyanchev commented

What would you like to see? Currently DefaultWebSession is created through a protected method in DefaultWebSessionManager which in turn is created in WebHttpHandlerBuilder after checking for a Spring bean with the well-known name "webSessionManager".

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented May 22, 2017

Rossen Stoyanchev commented

Also the default implementation uses UUID.randomUUID().toString(). We could use IdGenerator instead in which case is there a default implementation that we should use providing safer defaults?

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented May 22, 2017

Rob Winch commented

I would like something similar to WebSession.changeId() method which changes the id associated with the WebSession. Obviously at that time, the cookie would need to be updated with the new id and the WebSessionManager would need to be notified of the change. Ideally, WebSessionManager would be able to know that only the id changed rather than delete on the old WebSession and save on a new WebSession to improve the performance.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented May 22, 2017

Rossen Stoyanchev commented

If Spring Security will customize every session, and since we have full control over session creation, would it not make sense to configure this once through the WebSessionManager? If nothing else there is an overhead in using UUID.randomUUID() only to be ignored afterwards. We could also consider a lazy session id determination but conceptually I wonder if there is a reason not to create the session with the desired id.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented May 22, 2017

Rob Winch commented

Rossen Stoyanchev I don't think I'm conveying my issue very well.

I'd like to support the following flow:

  • A page is visited
  • The user requests to log in
  • A log in form is present. At this time a session is created and the session id might be session-1. There may be session attributes associated to the session.
  • The user authenticates successfully via Spring Security. Spring Security would like to instruct WebSession that the current session id should change to something else (it doesn't care what it is but it should be new). Spring Security would like this done in the most efficient way possible, so invaliding the session and recreating the session is not ideal. This is because if the session is created in a distributed store (i.e. Redis) the entire session object must be deleted and then inserted again with the new id vs just an update to the id.

Does this help clarify what I'm looking for?

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented May 22, 2017

Rob Winch commented

To add to that...I'm looking for something similar to HttpServletRequest.changeSessionId() http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#changeSessionId--

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.