Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-2156: Provide a way to cofigure HttpSession tracking mode with Spring Security #2381
Servlets 3.0 allows an application to request that http sessions be tracked using the SSL session id rather than the JSESSIONID cookie or URL rewriting.
According to the tomcat docs bottom of the page http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html a Context Listener is need to configure this.
It would be great if spring security had an option to the turn his on when it is being initialized, with the ability to stop the application context, by stopping the spring web application context.
It should be possible to have a configuration such that if the web container does not support SSL session id tracking the app does not process any requests, or sends all requests to an error page.