Announcement Announcement Module
Collapse
No announcement yet.
Spring Security 2.0.3 and Struts 1.3.8 - SessionId problem Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security 2.0.3 and Struts 1.3.8 - SessionId problem

    Hey guys

    After years of messing around with self written security code, I decided to port my Struts webapp to use Spring Security instead. Authentication and authorization is working fine but I've got a problem with SessionId.
    I tried to test my webapp inside Firefox and logged on as "Lager", some kind of superuser, and in another tab I used "100000", which is a normal user. My problem is now, that the second login overwrites the first session because it uses exactly the same SessionId.

    Code:
    first login:
    [WARN] LoggerListener - Authentication event AuthenticationSuccessEvent: lager; details: org.springframework.security.ui.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: E15D112F3CAA5EC4578D993672D2C7BA
    [WARN] LoggerListener - Authentication event InteractiveAuthenticationSuccessEvent: lager; details: org.springframework.security.ui.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: E15D112F3CAA5EC4578D993672D2C7BA
    
    second login:
    [WARN] LoggerListener - Authentication event AuthenticationSuccessEvent: 100000; details: org.springframework.security.ui.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: E15D112F3CAA5EC4578D993672D2C7BA
    [WARN] LoggerListener - Authentication event InteractiveAuthenticationSuccessEvent: 100000; details: org.springframework.security.ui.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: E15D112F3CAA5EC4578D993672D2C7BA
    What am I doing wrong?

    Thx for any help.
    Michael

  • #2
    You are doing nothing wrong it is the way the browser works.

    Comment


    • #3
      Thanks for your rapid reply ;-)

      Seems that I simply never recognized this behaviour. The webapp is running for more than three years now and I've not tested those cases -> my bad.

      Comment


      • #4
        You get the same behavior if you open a new window with CTRL+N from your browser. All the session information is copied to the new instance/window.

        You can have 2 solutions.
        1) Be completly stateless (i.e. don't use the session)
        2) Force session creation for a new tab (not sure how to do that).

        Comment

        Working...
        X