Skip to content

SEC-2470: SessionFixationProtectionStrategy should migrate maxInactiveInterval #2693

New issue
New issue
Closed
Closed
SEC-2470: SessionFixationProtectionStrategy should migrate maxInactiveInterval#2693
Assignees
eleftherias
Labels
in: webAn issue in web modules (web, webmvc)type: breaks-passivityA change that breaks passivity with the previous release
Milestone
5.4.0-M1
@spring-projects-issues

Description

@spring-projects-issues
spring-projects-issues
opened on Jan 24, 2014

Dan Dormont (Migrated from SEC-2470) said:

When SessionFixationProtectionStrategy creates a new HTTPSession based on an existing session, even if migrateSessionAttributes is enabled, it does not preserve the maxInactiveInterval value from the previous session.

The Javadoc doesn't say it does, so perhaps this isn't strictly a bug, but it seems like a reasonable expectation that SessionFixationProtectionStrategy would have this behavior.

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)type: breaks-passivityA change that breaks passivity with the previous release

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions