Spring Security
  1. Spring Security
  2. SEC-1462

SessionFixationProtectionFilter creates new session even when the requested session id is null or invalid.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.3, 3.1.0.M1
    • Component/s: Core
    • Labels:
      None
    • Environment:
      apache-tomcat-6.0.20
      jdk 1.6.0_16
      blackberry 9000 v4.6.0.282

      Description

      We ran into an issue where the hotspot browser on blackberry devices was not able to maintain the httpsession. We are using tomcat 6 as our web server. After investigation it was found that the tomcat is generating two Set-Cookie headers for JSESSIONID. Out of these two JSESSIONID second one is valid however the hotspot browser is picking up the wrong one (i.e. first one) and that is why it is not able to maintain the session. With further investigation it was found that the SessionFixationProtectionFilter invalidates the current session and then creates a new one if the user is authenticated during the current requests. This was causing the multiple JSESSIONID.

      Though the issue seems to be with the browser and the tomcat but the SessionFixationProtectionFilter creates new session when it is not required i.e. when the requested session id is invalid or null. So we need to add an extra condition which also checks for request.isRequestedSessionIdValid() in the already exisiting condition

      //existing code
      if(request.getSession(false) == null || request.getAttribute(FILTER_APPLIED) != null) {
      chain.doFilter(request, response);
      return;
      }

      //changed code
      if(request.getSession(false) == null || request.getAttribute(FILTER_APPLIED) != null || request.isRequestedSessionIdValid() == false) {
      chain.doFilter(request, response);
      return;
      }

      This not only fixes the issue mentioned but also improves the performance as we are avoiding unnecessary session creation.

        Activity

        Hide
        Filip Hanik added a comment -

        The multiple JSESSIONID headers is a bug in Apache Tomcat
        https://issues.apache.org/bugzilla/show_bug.cgi?id=49158

        Show
        Filip Hanik added a comment - The multiple JSESSIONID headers is a bug in Apache Tomcat https://issues.apache.org/bugzilla/show_bug.cgi?id=49158
        Hide
        Luke Taylor added a comment - - edited

        Thanks for the report. I've added your fix to the 2.0.x branch and also applied an equivalent patch to the 3.0.x and master branches. Note that we don't anticipate any further public releases of the 2.0 series. However, you can apply the patch yourself and once the Tomcat fix is in place you should be able to upgrade to remove the problem with the multiple session-cookie headers.

        Show
        Luke Taylor added a comment - - edited Thanks for the report. I've added your fix to the 2.0.x branch and also applied an equivalent patch to the 3.0.x and master branches. Note that we don't anticipate any further public releases of the 2.0 series. However, you can apply the patch yourself and once the Tomcat fix is in place you should be able to upgrade to remove the problem with the multiple session-cookie headers.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Amit Kumar Jain
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: