Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-2692: Tomcat's session fixation protection conflicts with concurrency control #2913
By default in Tomcat 7 the session fixation protection is enabled. That means that if you are using SSL mutual (client-cert) authentication (Tomcat side) and form-login authentication with SS the concurrency control is effectively bypassed.
In order for the CompositeSessionAuthenticationStrategy to properly work the changeSessionIdOnAuthentication attribute must be set to false on the SSLAuthenticator in /conf/context.xml:
<Valve className="org.apache.catalina.authenticator.SSLAuthenticator" changeSessionIdOnAuthentication="false" />
Please add a warning in the documentation (http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#concurrent-sessions) as it's a big frustration - at least it was for me :)