Summary
The SessionFixationProtectionStrategy class creates a new session, even if you have configured create-session="never".
Actual Behavior
The use case is that you want different urls to behave differently. For example:
Urls from "/example_1/" should not create a new session, but should use one if it exists
Urls from "/example_2/" should create a session "if required"
Because the SessionFixationProtectionStrategy assumes that you always want to create a session if one already exists then this makes this desired behavior impossible.
This line is the culprit:
session = request.getSession(true); // we now have a new session
Expected Behavior
SessionFixationProtectionStrategy should not ignore create-session="never"
(The session should still be invalidated - just not a new one created)
Configuration
create-session="never" for some URLs and create-session="ifRequired" for otehr URLs.
Version
spring-security-web-3.2.5
Summary
The SessionFixationProtectionStrategy class creates a new session, even if you have configured create-session="never".
Actual Behavior
The use case is that you want different urls to behave differently. For example:
Urls from "/example_1/" should not create a new session, but should use one if it exists
Urls from "/example_2/" should create a session "if required"
Because the SessionFixationProtectionStrategy assumes that you always want to create a session if one already exists then this makes this desired behavior impossible.
This line is the culprit:
session = request.getSession(true); // we now have a new sessionExpected Behavior
SessionFixationProtectionStrategy should not ignore create-session="never"
(The session should still be invalidated - just not a new one created)
Configuration
create-session="never" for some URLs and create-session="ifRequired" for otehr URLs.
Version
spring-security-web-3.2.5