Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2156: Provide a way to cofigure HttpSession tracking mode with Spring Security #2381

spring-issuemaster opened this issue Apr 3, 2013 · 2 comments


Copy link

@spring-issuemaster spring-issuemaster commented Apr 3, 2013

Adib Saikali (Migrated from SEC-2156) said:

Servlets 3.0 allows an application to request that http sessions be tracked using the SSL session id rather than the JSESSIONID cookie or URL rewriting.

According to the tomcat docs bottom of the page a Context Listener is need to configure this.

It would be great if spring security had an option to the turn his on when it is being initialized, with the ability to stop the application context, by stopping the spring web application context.

It should be possible to have a configuration such that if the web container does not support SSL session id tracking the app does not process any requests, or sends all requests to an error page.

package org.apache.tomcat.example;

import java.util.EnumSet;

import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.SessionTrackingMode;

public class SessionTrackingModeListener implements ServletContextListener {

    public void contextDestroyed(ServletContextEvent event) {
        // Do nothing

    public void contextInitialized(ServletContextEvent event) {
        ServletContext context = event.getServletContext();
        EnumSet<SessionTrackingMode> modes =


Copy link

@spring-issuemaster spring-issuemaster commented Jul 3, 2013

Rob Winch said:

This can be integrated with AbstractSecurityWebApplicationInitializer

Copy link

@spring-issuemaster spring-issuemaster commented Jul 20, 2013

Rob Winch said:

This has been added to AbstractSecurityWebApplicationInitializer. The default modes are SSL and COOKIE (not URL) to help avoid session fixation attacks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.