Results 1 to 3 of 3

Thread: Spring Security session-management session-fixation-protection not working

  1. May 17th, 2012, 09:45 AM #1
    Akash.
    Akash. is offline Junior Member
    Join Date
    May 2012
    Posts
    3

    Default Spring Security session-management session-fixation-protection not working

    I'm using Spring 3.1 Security. Following is the part of my "spring-security.xml"

    Code:
    <session-management session-fixation-protection="migrateSession"/>
<session-management>
<concurrency-control max-sessions="1" expired-url="/Login.html"/>
</session-management>
    Though i set session-fixation-protection="migrateSession" still if i logged in using "Chrome Browser" then copy cookie value and open a "Fire Fox Browse" and go to the login page then edit the cookie and past value from "Chrome Browser"!!! Then i see i am also logged in my application. That mean "session fixation attack" is possible !!!

    What i missed in my spring security config ?

    Thanks in Advance

    Warm Regards Akash
    Reply With Quote Reply With Quote
  2. Sep 21st, 2012, 03:21 PM #2
    futhark77
    futhark77 is offline Junior Member
    Join Date
    Aug 2012
    Posts
    3

    Default

    I am also having problems to make session fixation protection work. I looked at the code and ran the debugger. I have confirmed a SessionFixationProtectionStrategy gets created. However, the bean never gets called.

    The following condition in SessionManagementFilter never materializes.

    Code:
        public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {

    // ...

            if (authentication != null && !authenticationTrustResolver.isAnonymous(authentication)) {
             // The user has been authenticated during the current request, so call the session strategy
                try {
                    sessionAuthenticationStrategy.onAuthentication(authentication, request, response);
    Can someone explain the conditions needed for the strategy to get called?

    Thanks in advance!
    Last edited by futhark77; Sep 21st, 2012 at 03:27 PM.
    Reply With Quote Reply With Quote
  3. Sep 21st, 2012, 04:13 PM #3
    futhark77
    futhark77 is offline Junior Member
    Join Date
    Aug 2012
    Posts
    3

    Default

    It seems I was not looking at the right place. I tried to login via spring_security_login and I could finally see a call to SessionFixationProtectionStrategy. The strategy is called from the authentication processing filter.

    That changes what I need to look for. I need to find why the SessionFixationProtectionStrategy is not called when I authenticate with my custom login form. The login controller I am using may be faulty.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules