SEC-1109: invalidateSessionOnSuccessfulAuthentication broken if there's a flex session in session #1360

spring-issuemaster opened this Issue Feb 24, 2009 · 2 comments

1 participant


NotMy Name (Migrated from SEC-1109) said:

BlazeDS, whether used in combination with spring blazeDS integration or not, creates a session attribute with key __flexSession and of type HttpFlexSession. This object maintains a circular link back to the HttpSession. When the old session is invalidated on login, the default behaviour is to copy all attributes across. The __flexSession attribute is copied, but the reference to the original HttpSession within it is left intact. In fact, it is a private member that is only set via private constructor, so it is impossible to update.

It is possible that the flex session can be cloned in much the same way as the HttpSession, but in order to do so, one would have to override SessionUtils, butt that class is both static and final, so it isn’t possible to simply inject our own subclass of SessionUtils which knows how to take care of the __flexSession attribute. Instead, we were forced to create a class of the same name and package and place it earlier in the classpath, which is a pretty ugly kludge which will cause our codebase to persist any errors that might be fixed in subsequent releases.

I think the correct fix for this is to create a bean out of SessionUtils, inject it where appropriate, and then allow the blazeds integration team to provide an alternate SessionUtils class which knows how to handle the HttpFlexSession. AT the very least, the flex session can be dropped and not copied across, but ideally, the correct mechanism for cloning it can be called and the flex session attributes can be retained. The blazeDS documentation isn’t terribly enlightening when it comes to documenting the side effects of attempting to clone the various properties and attributes of the HttpFlexSession, so a bit of research is required before anything other than dropping that attribute is adopted as a solution.

A link to the bug I created over on the blaze ds jira is:

Incidentally, if the __flexSession attribute is copied over to the new session with the reference to the old HttpSession intact, it results in invalid session exceptions being thrown on every blaze ds call.


Luke Taylor said:

Not a bug, as handling flex sessions isn’t intended to be part of the session fixation code. Changing to “improvement”.


Luke Taylor said:

The changes made for SEC-1211 should supply the functionality you want. SessionUtils has been replaced by the AuthenticatedSessionStrategy, which you should be able to implement yourself, handling the session attributes as you please and making a special case for the __flexSession.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment