Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1211: Create strategy for session handling on successful authentication #1454

spring-issuemaster opened this Issue Jul 28, 2009 · 3 comments


None yet
1 participant

Luke Taylor (Migrated from SEC-1211) said:

The code for session-fixation protection is currently duplicated between the AbstractAuthenticationProcessingFilter and the SessionFixationProtectionFilter. The former deals needs to create a new session before it redirects to the required target, the latter handles authentication which has occurred during the current request.

A strategy implementation could be shared between them and also deal with updating the session registry, deciding what attributes to migrate etc.

Luke Taylor said:

I've extracted the interface AuthenticatedSessionStrategy which is now used in both places. DefaultAuthenticationStrategy implements the standard session-fixation protection behaviour, renewing the session and migrating the attributes if configured to do so. It also retains the SavedRequest attribute by default, even if not migrating the attributes (see SEC-1077).

Luke Taylor said:

SessionFixationProtectionFilter has also been renamed to SessionManagementFilter, since it no longer performs session-fixation protection itself, but delegates to the configured strategy.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M2 milestone Feb 5, 2016

This issue supersedes #1328
This issue supersedes #1301

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment