Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1875: SessionRegistry.registerNewSession invoked twice after successful authentication #2080

spring-issuemaster opened this Issue Dec 20, 2011 · 3 comments


None yet
2 participants

Alvin Chee (Migrated from SEC-1875) said:

In Spring Security 3.1.0, SessionRegistry.registerNewSession is now invoked twice, due to SessionFixationProtectionStrategy.onAuthentication calling onSessionChange (this call wasn't there in previous versions up to 3.0.7).

I'm using a custom SessionRegistry implementation which uses a database table as the session registry, thus facing a constraint error if the same session is registered twice.

Perhaps ConcurrentSessionControlStrategy.onAuthentication need not invoke sessionRegistry.registerNewSession now?

Grzegorz Rozniecki said:

Temporary fix is to override onSessionChange like this:

public class FixedConcurrentSessionControlStrategy extends ConcurrentSessionControlStrategy {

    public FixedConcurrentSessionControlStrategy( final SessionRegistry sessionRegistry ) {
        super( sessionRegistry );

    // Until https://jira.springsource.org/browse/SEC-1875 is resolved...
    protected void onSessionChange(final String originalSessionId, final HttpSession newSession, final Authentication auth) {

but I hope it'll be fixed in 3.1.1.

Rob Winch said:

The changes for SEC-1229 introduced two issues

  • SessionRegistry.registerNewSession is invoked twice
  • SessionRegistry.removeSession is invoked twice (once by the
    ConcurrentSessionControlStrategy#onSessionChange and once by
    SessionRegistryImpl#onApplicationEvent). This is not nearly
    as problematic since the interface states that implementations
    should be handle removing the session twice. However, as removing
    twice requires an unnecessary database hit we should only remove
    sessions once.

The problem with the initially proposed solution is that if the session was new, it would not be inserted into the SessionRegistry. It also did not address the second issue. The solution to both of these issues was to remove the onSessionChange method from ConcurrentSessionControlStrategy and allow the the super class to process onSessionChange with a do nothing implementation to keep passivity (very similar to Grzegorz's solution).

@spring-issuemaster spring-issuemaster added this to the 3.1.1 milestone Feb 5, 2016

This issue relates to #1477

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment