Dominik Hirt (Migrated from SEC-1927) said:
The class org.springframework.security.web.session.SessionManagementFilter logs a wrong session ID in one of the debug log entries. In line 91 there is a missing space between the word 'ID' in the log message and the value:
logger.debug("Requested session ID" + request.getRequestedSessionId() + " is invalid.");
That leads to e.g. the following line:
"Requested session IDBD230F0B1B30002A89B47B182FD2874E is invalid."
If the reader of such a line is not mindful enough, he would looking for a session IDBD230F0B1B30002A89B47B182FD2874E which doesn't exists. It should be read:
"Requested session ID BD230F0B1B30002A89B47B182FD2874E is invalid."
Rob Winch said:
Resolved in master. I also added a guard to the log statement