Luke Taylor (Migrated from SEC-1211) said:
The code for session-fixation protection is currently duplicated between the AbstractAuthenticationProcessingFilter and the SessionFixationProtectionFilter. The former deals needs to create a new session before it redirects to the required target, the latter handles authentication which has occurred during the current request.
A strategy implementation could be shared between them and also deal with updating the session registry, deciding what attributes to migrate etc.
Luke Taylor said:
I've extracted the interface AuthenticatedSessionStrategy which is now used in both places. DefaultAuthenticationStrategy implements the standard session-fixation protection behaviour, renewing the session and migrating the attributes if configured to do so. It also retains the SavedRequest attribute by default, even if not migrating the attributes (see SEC-1077).
SessionFixationProtectionFilter has also been renamed to SessionManagementFilter, since it no longer performs session-fixation protection itself, but delegates to the configured strategy.
This issue supersedes #1328
This issue supersedes #1301