Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2156: Provide a way to cofigure HttpSession tracking mode with Spring Security #2381

Closed
spring-issuemaster opened this issue Apr 3, 2013 · 2 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link

commented Apr 3, 2013

Adib Saikali (Migrated from SEC-2156) said:

Servlets 3.0 allows an application to request that http sessions be tracked using the SSL session id rather than the JSESSIONID cookie or URL rewriting.

According to the tomcat docs bottom of the page http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html a Context Listener is need to configure this.

It would be great if spring security had an option to the turn his on when it is being initialized, with the ability to stop the application context, by stopping the spring web application context.

It should be possible to have a configuration such that if the web container does not support SSL session id tracking the app does not process any requests, or sends all requests to an error page.



package org.apache.tomcat.example;

import java.util.EnumSet;

import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.SessionTrackingMode;

public class SessionTrackingModeListener implements ServletContextListener {

    @Override
    public void contextDestroyed(ServletContextEvent event) {
        // Do nothing
    }

    @Override
    public void contextInitialized(ServletContextEvent event) {
        ServletContext context = event.getServletContext();
        EnumSet<SessionTrackingMode> modes =
            EnumSet.of(SessionTrackingMode.SSL);

        context.setSessionTrackingModes(modes);
    }

}
@spring-issuemaster

This comment has been minimized.

Copy link
Author

commented Jul 3, 2013

Rob Winch said:

This can be integrated with AbstractSecurityWebApplicationInitializer

@spring-issuemaster

This comment has been minimized.

Copy link
Author

commented Jul 20, 2013

Rob Winch said:

This has been added to AbstractSecurityWebApplicationInitializer. The default modes are SSL and COOKIE (not URL) to help avoid session fixation attacks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.