Session is not invalidated on logout

[orange-buffalo]

Describe the bug
On logout in a Reactive application, the WebSession is not invalidated.

To Reproduce

1. Login with a user.
2. Add attributes to the session.
3. Logout.
4. Login with the same or another user from the same browser.
5. Attributes added in step 2 are available in the new session.

See SessionInvalidationTest.java in the sample repo for the reproducer test case.

Reproduced for HTTP Basic in the provided test case and in OAuth2 login/logout in the product code.

Expected behavior
WebSession is invalidated on logout.

Actual behavior
Only the ID of the session (WebSession#changeSessionId) and security context attribute is updated.

Workaround
Add a custom ServerLogoutHandler wrapped in a DelegatingServerLogoutHandler to join it with the default SecurityContextServerLogoutHandler:

.logout(logout -> logout
    .logoutHandler(new DelegatingServerLogoutHandler(
             new SecurityContextServerLogoutHandler(),
             (exchange, authentication) -> exchange.getExchange()
                       .getSession()
                       .flatMap(WebSession::invalidate)
    ))
)

Sample
https://github.com/orange-buffalo/spring-security-session-invalidation-reproducer

[marcusdacoregio]

Hi @orange-buffalo, thanks for the report. It seems like you did it in the right way!

I will close this issue as resolved but I'll tag @jzheaux to help to confirm that this is the expected behavior, if not we reopen it.

[jzheaux]

Yes, this is correct since there is no WebSessionServerLogoutHandler. However, I think it would be good to add this implementation. @orange-buffalo are you able to supply a PR for #4838 which would introduce this logout handler?

[orange-buffalo]

Yes, I should be able to handle it. Will be busy during the nearest days, so will start with this in a couple of weeks.