Announcement Announcement Module
No announcement yet.
Spring Security session-management session-fixation-protection not working Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security session-management session-fixation-protection not working

    I'm using Spring 3.1 Security. Following is the part of my "spring-security.xml"

    <session-management session-fixation-protection="migrateSession"/>
    <concurrency-control max-sessions="1" expired-url="/Login.html"/>
    Though i set session-fixation-protection="migrateSession" still if i logged in using "Chrome Browser" then copy cookie value and open a "Fire Fox Browse" and go to the login page then edit the cookie and past value from "Chrome Browser"!!! Then i see i am also logged in my application. That mean "session fixation attack" is possible !!!

    What i missed in my spring security config ?

    Thanks in Advance

    Warm Regards Akash

  • #2
    I am also having problems to make session fixation protection work. I looked at the code and ran the debugger. I have confirmed a SessionFixationProtectionStrategy gets created. However, the bean never gets called.

    The following condition in SessionManagementFilter never materializes.

        public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
                throws IOException, ServletException {
        // ...
                if (authentication != null && !authenticationTrustResolver.isAnonymous(authentication)) {
                 // The user has been authenticated during the current request, so call the session strategy
                    try {
                        sessionAuthenticationStrategy.onAuthentication(authentication, request, response);
    Can someone explain the conditions needed for the strategy to get called?

    Thanks in advance!
    Last edited by futhark77; Sep 21st, 2012, 03:27 PM.


    • #3
      It seems I was not looking at the right place. I tried to login via spring_security_login and I could finally see a call to SessionFixationProtectionStrategy. The strategy is called from the authentication processing filter.

      That changes what I need to look for. I need to find why the SessionFixationProtectionStrategy is not called when I authenticate with my custom login form. The login controller I am using may be faulty.


      • #4
        Thank you for the hint, I had the same problem with a custom AuthenticationProcessingFilter which extends AbstractAuthenticationProcessingFilter and solved it by setting the sessionAuthenticationStrategy, which probably gets configured automatically when you let Spring configure the standard components:

        <bean id="authenticationProcessingFilter" class="com.example.CustomAuthenticationProcessingFilter">
        	<property name="sessionAuthenticationStrategy">
        		<bean class="">
        			<property name="migrateSessionAttributes" value="true"/>
        It would be nice to have it documented somehwere how exactly Spring Security configures its components by default, so that important things like this one don't get lost when you need to extend some components.