Nathan Summers (Migrated from SEC-1391) said:
SessionListeners that act on the destruction of HttpSessions sometimes need to behave differently if the session is being destroyed because its attributes are being migrated to a new session by the SessionFixationProtectionFilter. There needs to be some method that they can call to find out if that is the case. It would also be nice to have a convenience MigrationAwareSessionListener abstract class that calls a different method on migration than on true session end.
Luke Taylor said:
Session listeners are part of the servlet API and are invoked by the container, so I'm not really clear what you mean. As far as I can see, the only way (apart from checking the call stack) that you could determine that a session was being destroyed in order to migrate its attributes is to place some marker object in the session itself.
In Spring Security 3, you can customize the SessionAuthenticationStrategy in order to alter the behaviour when the session is migrated. At that point you could put an object in the session and check for it in your HttpSessionListener. I don't think there's a need for even more infrastructure classes as the interfaces involved are very simple.