Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-1391

Migration awareness for SessionListeners

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: 3.1.0.M1
    • Component/s: Web
    • Labels:
      None

      Description

      SessionListeners that act on the destruction of HttpSessions sometimes need to behave differently if the session is being destroyed because its attributes are being migrated to a new session by the SessionFixationProtectionFilter. There needs to be some method that they can call to find out if that is the case. It would also be nice to have a convenience MigrationAwareSessionListener abstract class that calls a different method on migration than on true session end.

        Activity

        Hide
        luke Luke Taylor added a comment -

        Session listeners are part of the servlet API and are invoked by the container, so I'm not really clear what you mean. As far as I can see, the only way (apart from checking the call stack) that you could determine that a session was being destroyed in order to migrate its attributes is to place some marker object in the session itself.

        In Spring Security 3, you can customize the SessionAuthenticationStrategy in order to alter the behaviour when the session is migrated. At that point you could put an object in the session and check for it in your HttpSessionListener. I don't think there's a need for even more infrastructure classes as the interfaces involved are very simple.

        Show
        luke Luke Taylor added a comment - Session listeners are part of the servlet API and are invoked by the container, so I'm not really clear what you mean. As far as I can see, the only way (apart from checking the call stack) that you could determine that a session was being destroyed in order to migrate its attributes is to place some marker object in the session itself. In Spring Security 3, you can customize the SessionAuthenticationStrategy in order to alter the behaviour when the session is migrated. At that point you could put an object in the session and check for it in your HttpSessionListener. I don't think there's a need for even more infrastructure classes as the interfaces involved are very simple.
        Hide
        issuemaster Spring Issuemaster added a comment -
        Show
        issuemaster Spring Issuemaster added a comment - This issue has been migrated to https://github.com/spring-projects/spring-security/issues/1634

          People

          • Assignee:
            luke Luke Taylor
            Reporter:
            rockwalrus Nathan Summers
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development