Getting Old session at the time of login
Hi
I am using spring security 3.1.0. When a user login in a browser ,
In sptring security class SessionFixationProtectionStrategy.java ,
it is getting old session so , session.invalidate() is called .
Bcoz of value hadSessionAlready becong true , so its calling session.invalidate in that class which is triggering following class:Code:public class SessionFixationProtectionStrategy implements SessionAuthenticationStrategy { protected final Log logger = LogFactory.getLog(this.getClass()); public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) { boolean hadSessionAlready = request.getSession(false) != null; // The value of hadSessionAlready is getting true. if (!hadSessionAlready && !alwaysCreateSession) { // Session fixation isn't a problem if there's no session return; } // Create new session if necessary HttpSession session = request.getSession(); if (hadSessionAlready && request.isRequestedSessionIdValid()) { // We need to migrate to a new session String originalSessionId = session.getId();
So , // Do Something is getting called , so , basically at the time of login , provess related to log out is getting called.Code:public class SessionDestroyEventListener implements ApplicationListener<ApplicationEvent> { @Override public void onApplicationEvent(ApplicationEvent event) { LOGGER.debug("Entering: SessionDestroyEventListener :Method: onApplicationEvent()"); if (event instanceof HttpSessionDestroyedEvent) { //Do Something }
My spring security config is as below:
Can somebody told me why valueCode:<security:http access-denied-page="/denied.html" entry-point-ref="preAuthenticatedProcessingFilterEntryPointID" path-type="regex"> <security:session-management session-fixation-protection="none"/>
request.getSession(false) != null;
in class SessionFixationProtectionStrategy.java is coming as true .
Reply With Quote