How to stop Spring Security from creating a new session?

spring security httpsession
jacekn picture jacekn · Jan 5, 2013 · Viewed 18.4k times · Source

Scenario

  1. I restart the server and browser so there's no session data.
  2. I go to www.someurl.com public access page. My controller gets me a session with this HttpSession session=request.getSession(true);
  3. I click on a plane anchor link to www.someurl.com/admin restricted access page which opens in a new tab. Spring Security 3 intercepts this and challenges for credentials. I log in successfully.
  4. I go back to the previous tab with www.someurl.com and refresh the page.

Problem

What I notice in my controller for www.someurl.com is that the session id is different on step 2 and step 4. Looks like Spring Security created a new session and that session is now attached to the request for public page. Why does this happen and can I force Spring Security to use existing session?

Traced scenario

  1. Restart browser and server so no session data exist(s).
  2. I go to www.someurl.com. Controller has request injected. request.session is null. getSession(true) gets me a session with id 87B091B12F38D44C53AF0DA9E2147484. LogService gets the request object and also does getSession(true) but gets session with id 87B091B12F38D44C53AF0DA9E2147484 so all's good thus far.
  3. I click /admin. Page opens up in new tab. I log in.
  4. I refresh the www.someurl.com. Controller has request injected. request.session is not null. Session id is 547DF59035C91783D783BAEF4A15FBFF.

Answer

JB Nizet picture JB Nizet · Jan 5, 2013

You got your diagnostic wrong:

What I notice in my controller for www.someurl.com is that the session id is different on step 2 and step 4. Looks like Spring Security created a new session and that session is now attached to the request for public page.

It's precisely because all the pages use the same session that when you go back to the first tab and refresh, you're still logged in as an admin. All the tabs and frames of a given browser share the same session for a given webapp. That's how it works. The server doesn't know and care about browser tabs. It gets a session cookie attached to all the requests sent by a given browser, and uses this cookie to get the corresponding session. This is actually a good thing. Without that, each time you open a new tab once already authenticated, you would have to authenticate again. And you definitely don't want that.

So let's explain what happens in your scenario:

  1. you restart the server and browser so there's no session data.
  2. you go to www.someurl.com public access page. Your controller gets you a session. A cookie is sent back to the browser
  3. You click on a plane anchor link to www.someurl.com/admin restricted access page which opens in a new tab. The cookie is sent with the request, so this request is part of the session opened at step 2. Spring Security 3 intercepts this and challenges for credentials. It attaches credentials to the session, which is now an authenticated session
  4. You go back to the previous tab with www.someurl.com and refresh the page. The cookie is sent again, and Spring knows that you're the guy who authenticated at step 3, because the authentication credentials are stored in session.

EDIT: it appears I was wrong, and Spring indeed creates a new session after login to prevent session fixation attacks. Explanations about why this is useful, and how to avoid this behavior are available in the documentation:

Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). Spring Security protects against this automatically by creating a new session when a user logs in. If you don't require this protection, or it conflicts with some other requirement, you can control the behaviour using the session-fixation-protection attribute on , which has three options

  • migrateSession - creates a new session and copies the existing session attributes to the new session. This is the default.

  • none - Don't do anything. The original session will be retained.

  • newSession - Create a new "clean" session, without copying the existing session data.

Related questions

Spring Test & Security: How to mock authentication?

I was trying to figure out how to unit test if my the URLs of my controllers are properly secured. Just in case someone changes things around and accidentally removes security settings. My controller method looks like this: @RequestMapping("/api/…

Read More
Unit testing with Spring Security

My company has been evaluating Spring MVC to determine if we should use it in one of our next projects. So far I love what I've seen, and right now I'm taking a look at the Spring Security module to …

Read More
Spring MVC - Checking if User is already logged in via Spring Security?

I have a Spring MVC application.It uses its own custom Login page. Upon successful login, a 'LOGGED_IN_USER' object is placed in the HTTPSession. I want to allow only authenticated users to access URLs. I know i can …

Read More