Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-2011: SessionFixationProtectionStrategy Javadoc states to inject SessionRegistry but does not contain that field #2237

spring-issuemaster opened this Issue Jul 19, 2012 · 3 comments


None yet
2 participants

Mauro Molinari (Migrated from SEC-2011) said:

The SessionFixationProtectionStrategy Javadoc says:

If concurrent session control is in use, then a SessionRegistry must be injected. 

However, this feature is offered by the subclass ConcurrentSessionControlStrategy. Another reference to the session registry is in the org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy.onAuthentication(Authentication, HttpServletRequest, HttpServletResponse) Javadoc:

The sessionRegistry will be updated with the new session information.

Once again, this is done by the org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy.onAuthentication(Authentication, HttpServletRequest, HttpServletResponse) instead.

Rob Winch said:

Thank you for submitting this issue. It has been fixed in master.

Mauro Molinari said:

Thank you Rob, however please note that a reference to the session registry is still on the SessionFixationProtectionStrategy.onAuthentication(Authentication, HttpServletRequest, HttpServletResponse) method Javadoc.

Rob Winch said:

I clearly missed that portion of the JIRA...thanks for keeping me honest :). I have moved the SessionFixationProtectionStrategy.onAuthentication reference of SessionRegistry to ConcurrentSessionControlStrategy.onAuthentication. Thanks again.

@spring-issuemaster spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment