Skip to content
This repository was archived by the owner on Apr 4, 2025. It is now read-only.
This repository was archived by the owner on Apr 4, 2025. It is now read-only.

Session Fixation Change Session ID Keeps Old Anonymous Session #222

Open
Open
Session Fixation Change Session ID Keeps Old Anonymous Session#222
@mmoussa-mapfre

Description

@mmoussa-mapfre
mmoussa-mapfre
opened on Jul 19, 2022

An anonymous user session with principal=null is created in Mongo when I enter my app. The user authenticates with Spring Security SAML2. Session fixation protection kicks in and changes the session ID on HttpSession but on Mongo it does not change the ID, it creates a whole new session with principal=user.

Is it a bug or intended behavior that there are now 2 session records for that user, one with principal=null and another with principal=user?
How can I delete that anonymous session or change the session ID so there is only 1 session after auth?

Dependencies:

  • Spring Session Data MongoDB 2.7.0
  • Spring Boot 2.7.1
  • Embedded Tomcat
  • JDK 8

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions