SEC-1211: Create strategy for session handling on successful authentication #1454

Closed
spring-issuemaster opened this Issue Jul 28, 2009 · 3 comments

1 participant

@spring-issuemaster

Luke Taylor (Migrated from SEC-1211) said:

The code for session-fixation protection is currently duplicated between the AbstractAuthenticationProcessingFilter and the SessionFixationProtectionFilter. The former deals needs to create a new session before it redirects to the required target, the latter handles authentication which has occurred during the current request.

A strategy implementation could be shared between them and also deal with updating the session registry, deciding what attributes to migrate etc.

@spring-issuemaster

Luke Taylor said:

I've extracted the interface AuthenticatedSessionStrategy which is now used in both places. DefaultAuthenticationStrategy implements the standard session-fixation protection behaviour, renewing the session and migrating the attributes if configured to do so. It also retains the SavedRequest attribute by default, even if not migrating the attributes (see SEC-1077).

@spring-issuemaster

Luke Taylor said:

SessionFixationProtectionFilter has also been renamed to SessionManagementFilter, since it no longer performs session-fixation protection itself, but delegates to the configured strategy.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M2 milestone Feb 5, 2016
@spring-issuemaster

This issue supersedes #1328
This issue supersedes #1301

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment