Announcement Announcement Module
No announcement yet.
problem with session-fixation-protection in spring 3.0 Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • problem with session-fixation-protection in spring 3.0


    I am trying to migrate from spring security 2.0.4 to spring 3.0.1
    Everything seems to work fine except the session management settings in the configuration file. I want to define session-fixation-protection="newSession". In the old configuration in spring 2.0.4 I used

    <security:http access-decision-manager-ref="accessDecisionManager" session-fixation-protection="newSession">.....
    and each new session was assigned new session id after the old session had expired.
    With the latest version my config file looks like this:
    <security:http access-decision-manager-ref="accessDecisionManager">
            <security:intercept-url pattern="/admin/**" access="PERM_ADMIN"/>
            <security:intercept-url pattern="/main/**" access="PERM_USER"/> 
            <security:intercept-url pattern="/help/**" access="PERM_ADMIN,PERM_USER"/> 
            <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY,PERM_USER,PERM_ADMIN"/>
            <security:form-login login-page="/login.jsf" authentication-failure-url="/login.jsf?error=true" login-processing-url="/j_security_check" />
            <security:logout logout-url="/logout.jsf" logout-success-url="/login.jsf" />
            <security:session-management session-fixation-protection="newSession" >
            	<security:concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
    and in the log I get the message:
    Your servlet container did not change the session ID when a new session was created. You will not be adequately protected against session-fixation attacks
    What could be the reason why the session-fixation doesn't work? Is there something else I have to define somewhere in the configuration?

  • #2
    I'm having a similar problem, but in my case it works correctly when accessing through Tomcat directly, but when I use Apache httpd through mod_jk I don't get a new JSESSIONID after login.

    By any chance are you also using mod_jk?


    • #3
      I have the same issue in jboss

      I have default setting for session management, i.e I have made auto config. I see the same warning and response does not seem to have a cookie in it for jsession id. Any help would be great.


      • #4
        @kg_gatolgaj are you using JBoss on its own or are you using apache in front of it?