spring-session-data-mongodb icon indicating copy to clipboard operation
spring-session-data-mongodb copied to clipboard
verified publisher icon spring-projects

Session Fixation Change Session ID Keeps Old Anonymous Session

Open ghost opened this issue 3 years ago • 0 comments

An anonymous user session with principal=null is created in Mongo when I enter my app. The user authenticates with Spring Security SAML2. Session fixation protection kicks in and changes the session ID on HttpSession but on Mongo it does not change the ID, it creates a whole new session with principal=user.

Is it a bug or intended behavior that there are now 2 session records for that user, one with principal=null and another with principal=user? How can I delete that anonymous session or change the session ID so there is only 1 session after auth?

Dependencies:

  • Spring Session Data MongoDB 2.7.0
  • Spring Boot 2.7.1
  • Embedded Tomcat
  • JDK 8

ghost avatar Jul 19 '22 19:07 ghost