Announcement Announcement Module
Collapse
No announcement yet.
Getting Old session at the time of login Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Getting Old session at the time of login

    Hi
    I am using spring security 3.1.0. When a user login in a browser ,
    In sptring security class SessionFixationProtectionStrategy.java ,
    it is getting old session so , session.invalidate() is called .

    Code:
    public class SessionFixationProtectionStrategy implements SessionAuthenticationStrategy {
        protected final Log logger = LogFactory.getLog(this.getClass());
     public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
    
            boolean hadSessionAlready = request.getSession(false) != null;
    
            // The value of hadSessionAlready is getting true.
    
            if (!hadSessionAlready && !alwaysCreateSession) {
                // Session fixation isn't a problem if there's no session
    
                return;
            }
    
            // Create new session if necessary
            HttpSession session = request.getSession();
    
            if (hadSessionAlready && request.isRequestedSessionIdValid()) {
                // We need to migrate to a new session
                String originalSessionId = session.getId();
    Bcoz of value hadSessionAlready becong true , so its calling session.invalidate in that class which is triggering following class:
    Code:
    public class SessionDestroyEventListener implements ApplicationListener<ApplicationEvent> {
    
    @Override
    	public void onApplicationEvent(ApplicationEvent event) {
    		
    		LOGGER.debug("Entering: SessionDestroyEventListener :Method: onApplicationEvent()");
    		
    		if (event instanceof HttpSessionDestroyedEvent) {
                                 //Do Something
                               }
    So , // Do Something is getting called , so , basically at the time of login , provess related to log out is getting called.

    My spring security config is as below:

    Code:
    <security:http access-denied-page="/denied.html"
    		entry-point-ref="preAuthenticatedProcessingFilterEntryPointID"
    		path-type="regex">
    		
    	  <security:session-management session-fixation-protection="none"/>
    Can somebody told me why value

    request.getSession(false) != null;

    in class SessionFixationProtectionStrategy.java is coming as true .
    Last edited by saurabhsuman5289; Sep 14th, 2012, 12:11 AM.
Working...
X