Announcement Announcement Module
No announcement yet.
Generate new sessionId on login Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Generate new sessionId on login

    Hi, I'm new to spring security so go easy.. I have an issue trying to create a new JSESSIONID when I sign in as a new user on the same browser.


    Sign-in as User_1 JSESSIONID=ABCD, logout from webapp
    Sign-in as User_2 JSESSIONID=ABCD

    How can I get spring security to generate a new sessionId??

    I've added the session-fixation-protection attribute but it doesn't work. Please see my spring configuration below.

    <http use-expressions="true" auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint">
    <intercept-url pattern="/static/**" filters="none" />
    <intercept-url pattern="/**" access="isAuthenticated()" />
    <logout invalidate-session="true"/>
    <custom-filter position="FORM_LOGIN_FILTER" ref="authenticationProcessingFilter" />

    <session-management session-fixation-protection="newSession"/>

    Any help much appreciated.

    Version : Spring Security 3.0.5.RELEASE
    Last edited by keano1980; Nov 24th, 2010, 05:16 AM.

  • #2
    Does logging out actually log you out? Spring Security does not control the session id that is generated; this is managed by the container. What container are you using?

    What does the configuration for the authentication filter look like? Spring Security namespace will normally wire in a SessionFixationProtectionStrategy into the authentication filter. Have you ensured this is wired in?


    • #3
      I've noticed that some browser caching and having multi tabs of one browser pointing to same server can be confusing. Try different browsers in your tests, I would suggest testing with the sample application that works out of the box and experiment from a known working configuration.

      As a side note the sample application dumps your spring principle and related info out for you to inspect and that is different from the Servlet session id.


      • #4

        I am also new to spring security and I thought that my issue is related to this thread. My problem is that sometimes I see
        WARN SessionFixationProtectionStrategy:95 - Your servlet container did not change the session ID when a new session was created. You will not be adequately protected against session-fixation attacks
        This is bothering me so I spent some time trying to fix it. I saw that when I add session-fixation-protection to my configuration, everything should be alright. My configuration now looks like:
        <http access-denied-page="/accessDenied.sp" auto-config="false">
        <intercept-url pattern="/css/**" filters="none" />
        <intercept-url pattern="/login.sp**" filters="none" />
        <form-login login-page="/login.sp" 
        		<logout logout-success-url="/login.sp" />
        <session-management session-fixation-protection="migrateSession" />
        The problem remains though. The warning appears after my server has been restarted and there had been active sessions.

        My Spring Security is version 3.0.2.RELEASE.

        If you need something else to diagnose the problem, please let me know.

        Any help will be appreciated.

        Ivaylo Petrov


        • #5
          It means that your servlet container reused the same session Id after invalidating the session and creating a new one. It's a container issue and not something Spring Security can do anything about, so it logs a warning to that effect.


          • #6
            PS You will want to upgrade to Spring Security 3.0.5.RELEASE to avoid the security vulnerability found in 3.0.3 and earlier.


            • #7
              Thank you both for your quick response. Obviously I will have to search for solution elsewhere


              • #8
                HI ivajloip,
                did u find the solution of this issue ? i have same issue u have, i m using spring 3.1.1.

                my configuration given below :

                <!--  Configuring Web security services -->
                	<http auto-config="false" entry-point-ref="loginUrlAuthenticationEntryPoint"
                		use-expressions="true" access-decision-manager-ref="consoleAccessDecisionManager">
                		<session-management session-fixation-protection="newSession">
                			<concurrency-control max-sessions="1"/>
                		<!-- Configuring Access Denied Page (HTTP Status Code : 401) -->
                		<access-denied-handler ref="consoleAccessDeniedHandler"/>
                			Inserting custom form login filter in place of spring security
                			default form login filter in filter chain
                		<custom-filter position="FORM_LOGIN_FILTER"
                			ref="consoleUsernamePasswordAuthenticationFilter" />
                			Securing web resources by using intercept-url element where attribute
                			pattern defines a pattern which is matched against the URLs of
                			incoming requests using an ant path style syntax. attribute access
                			defines the access requirements for requests matching the given
                		<intercept-url pattern="/" access="permitAll" />
                		<intercept-url pattern="/console/"
                			access="isAuthenticated() or isRememberMe()"/>
                		<intercept-url pattern="/console/useradministration/**"
                			access="isAuthenticated() or isRememberMe()" />
                		<intercept-url pattern="/console/statistics/**"
                			access="isAuthenticated() or isRememberMe()" />
                		<intercept-url pattern="/console/widgetmanagement/**"
                			access="isAuthenticated() or isRememberMe()" />
                		<intercept-url pattern="/console/systempreferences/**"
                			access="isAuthenticated() or isRememberMe()" />
                		<intercept-url pattern="/console/log/**"
                			access="isAuthenticated() or isRememberMe()" />
                		<intercept-url pattern="/console/handsetmanagement/**"
                			access="isAuthenticated() or isRememberMe()" />
                		<intercept-url pattern="/console/walletmanagement/**"
                			access="isAuthenticated() or isRememberMe()" />
                			Configuring custom logout success handler which will be called after
                			user successfully logged out.
                		<logout success-handler-ref="consoleUserLogoutSuccessHandler"
                			logout-url="/logout" />
                		<!-- Remember-Me service configuration -->
                		<remember-me services-ref="rememberMeServices" key="systemConsole" />
                Last edited by solanki_arjun; May 18th, 2012, 08:33 AM.