Announcement Announcement Module
No announcement yet.
Incorrect authentication detail sessionId in AuthenticationSuccessEvent event. Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Incorrect authentication detail sessionId in AuthenticationSuccessEvent event.

    in my app, using SpringSecurity 3.0.5, I need to log the user ip address and the session id for any success login action.
    I use an AuthenticationSuccessEvent listner:
    public class AuthenticationSuccessEventListner implements ApplicationListener<AuthenticationSuccessEvent> {
        private static final Logger logger = Logger.getLogger(AuthenticationSuccessEventListner.class);
        public void onApplicationEvent(AuthenticationSuccessEvent event) {
  "Application Event: AuthenticationSuccessEvent: User: " + event.getAuthentication().getName());
            Object principal = event.getAuthentication().getPrincipal();
            if (principal instanceof Utente) {
                Utente newUser = (Utente) principal;
                WebAuthenticationDetails authDetails = (WebAuthenticationDetails) event.getAuthentication().getDetails();
     "  ip: " + authDetails.getRemoteAddress() + "  sessId: " + authDetails.getSessionId());
               // .... more code .....
    it work fine but the sessionid is wrong, in my application log i can see:
    2011/05/19 11:13:41.610 [ INFO,       AuthenticationSuccessEventListner,http-8443-5:  54] Application Event: AuthenticationSuccessEvent: Utente: XTE
    2011/05/19 11:13:41.611 [ INFO,       AuthenticationSuccessEventListner,http-8443-5:  66]   ip:  sessId: 8D860300C85487E4793B2D27A09C91B3
    2011/05/19 11:13:41.636 [DEBUG,              SessionDestroyEventListner,http-8443-5:  50]  Session destroy event: 8D860300C85487E4793B2D27A09C91B3
    2011/05/19 11:17:36.002 [DEBUG,               SessionCreateEventListner,http-8443-5:  45]  Session create event: C92D32AEB43D5CA84F1724BD2C452994
    The AuthenticationSuccessEvent report as session id: 8D860300C85487E4793B2D27A09C91B3 but the browser in the application use session with id C92D32AEB43D5CA84F1724BD2C452994.

    In my servlet-security.xml I use:
    <session-management >
        <concurrency-control  max-sessions="1" error-if-maximum-exceeded="false"  expired-url="/Login.htm?error=expired"/>
    where i am wrong?

    thanks all.

  • #2
    The session ID is generally changed after login to prevent session-fixation attacks. So it will be different from the original session which is stored in the WebAuthenticationDetails object. You would need to customize the creation of the Authentication object if you want to store the new session ID.


    • #3
      Incorrect authentication detail sessionId in AuthenticationSuccessEvent event.

      Hi Luke,
      ok, it is fine, but at the moment of creation of Authentication object I not know the correct session Id, I have only the current session Id (alias the session id of the login page).

      The AuthenticationSuccessEvent is published from ProviderManager after call of provider.authenticate() with not null result (in my case the provider is mainly a LdapAuthenticationProvider) and at this point I have already set the session Id.

      After investigation, the SessionFixationProtectionStrategy.onAuthentication is called after authentication with success, copy all attributes from session, invalidate the session, next create a new session and write into the session the attributes.

      All of this after the fire of the event AuthenticationSuccessEvent.

      At this point the listener of AuthenticationSuccessEvent isn't the right point to trace the true user session Id.

      I have enabled the logger (level DEBUG) in the Spring Security and this is my log:
      2011/05/19 16:12:05.974 [DEBUG,        ConcurrentSessionControlStrategy,http-8443-1:  84] Invalidating session with Id 'C49BBA6EA8068892EFA72A35232D1CA1' and migrating attributes.
      2011/05/19 16:12:05.975 [DEBUG,               HttpSessionEventPublisher,http-8443-1:  83] Publishing event:[[email protected]6]
      2011/05/19 16:12:05.976 [DEBUG,              SessionDestroyEventListner,http-8443-1:  50]  Session destroy event: C49BBA6EA8068892EFA72A35232D1CA1
      2011/05/19 16:12:05.977 [DEBUG,               HttpSessionEventPublisher,http-8443-1:  66] Publishing event:[[email protected]e]
      2011/05/19 16:12:05.978 [DEBUG,               SessionCreateEventListner,http-8443-1:  43]  Session create event: FA64A7813FA0739E282BEBBDE036E672
      2011/05/19 16:12:05.979 [DEBUG,        ConcurrentSessionControlStrategy,http-8443-1:  94] Started new session: FA64A7813FA0739E282BEBBDE036E672
      2011/05/19 16:12:05.979 [DEBUG,                     SessionRegistryImpl,http-8443-1: 114] Registering session FA64A7813FA0739E282BEBBDE036E672, for principal[id =1067]
      2011/05/19 16:12:05.980 [DEBUG,    UsernamePasswordAuthenticationFilter,http-8443-1: 289] Authentication success. Updating SecurityContextHolder to contain: org.springframew[email protected]441dfc0e: Principal:[id =1067]; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]12afc: RemoteIpAddress:; SessionId: C49BBA6EA8068892EFA72A35232D1CA1; Granted Authorities: ROLE_USER
      2011/05/19 16:12:05.980 [DEBUG,                 DefaultRedirectStrategy,http-8443-1:  36] Redirecting to '/MARTAe/Home.htm'
      2011/05/19 16:12:05.981 [DEBUG,    HttpSessionSecurityContextRepository,http-8443-1: 360] SecurityContext stored to HttpSession: '[email protected]1dfc0e: Authentication: org.springframew[email protected]441dfc0e: Principal:[id =1067]; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]12afc: RemoteIpAddress:; SessionId: C49BBA6EA8068892EFA72A35232D1CA1; Granted Authorities: ROLE_USER'
      2011/05/19 16:12:05.981 [DEBUG,        SecurityContextPersistenceFilter,http-8443-1:  89] SecurityContextHolder now cleared, as request processing completed
      You can see that the SecurityContex isn't update with the new session Id. Why?
      In all my application the security contex report the old and invalidated session id.
      It is a Spring Security bug?



      • #4
        No, it's not a bug. The purpose of WebAuthenticationDetails is purely to pass additional information about the original web authentication request that may be relevant to the AuthenticationProvider. There has never been any suggestion that the value will be updated when the session ID changes.


        • #5
          If you really need the current session ID, you could override the behaviour of SessionFixationProtectionStrategy:

          public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
              ((AbstractAuthenticationToken)authentication).setDetails(new WebAuthenticationDetails(request));
              super.onAuthentication(authentication, request, response);
          What do you actually intend to use the sessionID for?


          • #6
            The customer (it is a little security paranoic) need to trace all users activities, login/logout, commands, ecc. and need in the log the session id and ip addres of remote user.
            The log is saved into a database table.

            About SessionFixationProtectionStrategy, I try to override onAuthentication method and update the details of Security Context.