SEC-2011: SessionFixationProtectionStrategy Javadoc states to inject SessionRegistry but does not contain that field #2237

Closed
spring-issuemaster opened this Issue Jul 19, 2012 · 3 comments

2 participants

@spring-issuemaster

Mauro Molinari (Migrated from SEC-2011) said:

The SessionFixationProtectionStrategy Javadoc says:

If concurrent session control is in use, then a SessionRegistry must be injected. 

However, this feature is offered by the subclass ConcurrentSessionControlStrategy. Another reference to the session registry is in the org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy.onAuthentication(Authentication, HttpServletRequest, HttpServletResponse) Javadoc:

The sessionRegistry will be updated with the new session information.

Once again, this is done by the org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy.onAuthentication(Authentication, HttpServletRequest, HttpServletResponse) instead.

@spring-issuemaster

Rob Winch said:

Thank you for submitting this issue. It has been fixed in master.

@spring-issuemaster

Mauro Molinari said:

Thank you Rob, however please note that a reference to the session registry is still on the SessionFixationProtectionStrategy.onAuthentication(Authentication, HttpServletRequest, HttpServletResponse) method Javadoc.

@spring-issuemaster

Rob Winch said:

I clearly missed that portion of the JIRA...thanks for keeping me honest :). I have moved the SessionFixationProtectionStrategy.onAuthentication reference of SessionRegistry to ConcurrentSessionControlStrategy.onAuthentication. Thanks again.

@spring-issuemaster spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment