You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Method getRequestedSessionId in SessionRepositoryRequestWrapper (SessionRepositoryFilter.java) returns null if session id from request is not associated with any session from sessionRepository.
Is this correct behavior?
I'm using spring-session with spring-security and if requested session id is null, invalidSessionStrategy from SessionManagementFilter wont execute.
From SessionManagementFilter:
if (request.getRequestedSessionId() != null
&& !request.isRequestedSessionIdValid()) {
if (logger.isDebugEnabled()) {
logger.debug("Requested session ID "
+ request.getRequestedSessionId() + " is invalid.");
}
if (invalidSessionStrategy != null) {
invalidSessionStrategy
.onInvalidSessionDetected(request, response);
return;
}
}
Shouldn't getRequestedSessionId just return session id from request without any validation? That was behavior in 1.3.3.RELEASE version.
The text was updated successfully, but these errors were encountered:
spring-session 2.0.5.RELEASE
spring-security 5.0.7.RELEASE
Method getRequestedSessionId in SessionRepositoryRequestWrapper (SessionRepositoryFilter.java) returns null if session id from request is not associated with any session from sessionRepository.
Is this correct behavior?
I'm using spring-session with spring-security and if requested session id is null, invalidSessionStrategy from SessionManagementFilter wont execute.
From SessionManagementFilter:
Shouldn't getRequestedSessionId just return session id from request without any validation? That was behavior in 1.3.3.RELEASE version.
The text was updated successfully, but these errors were encountered: