Class SessionFixationProtectionStrategy

  extended by
All Implemented Interfaces:
Direct Known Subclasses:

public class SessionFixationProtectionStrategy
extends Object
implements SessionAuthenticationStrategy

The default implementation of SessionAuthenticationStrategy.

Creates a new session for the newly authenticated user if they already have a session (as a defence against session-fixation protection attacks), and copies their session attributes across to the new session (can be disabled by setting migrateSessionAttributes to false).

This approach will only be effective if your servlet container always assigns a new session Id when a session is invalidated and a new session created by calling HttpServletRequest.getSession().

If concurrent session control is in use, then a SessionRegistry must be injected.

$Id: 3921 2009-10-05 16:40:32Z ltaylor $
Luke Taylor

Field Summary
protected  org.apache.commons.logging.Log logger
Constructor Summary
Method Summary
 void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response)
          Called when a user is newly authenticated.
protected  void onSessionChange(String originalSessionId, HttpSession newSession, Authentication auth)
          Called when the session has been changed and the old attributes have been migrated to the new session.
 void setAlwaysCreateSession(boolean alwaysCreateSession)
 void setMigrateSessionAttributes(boolean migrateSessionAttributes)
 void setRetainedAttributes(List<String> retainedAttributes)
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail


protected final org.apache.commons.logging.Log logger
Constructor Detail


public SessionFixationProtectionStrategy()
Method Detail


public void onAuthentication(Authentication authentication,
                             HttpServletRequest request,
                             HttpServletResponse response)
Called when a user is newly authenticated.

If a session already exists, a new session will be created, the session attributes copied to it (if migrateSessionAttributes is set) and the sessionRegistry updated with the new session information.

If there is no session, no action is taken unless the alwaysCreateSession property is set, in which case a session will be created if one doesn't already exist.

Specified by:
onAuthentication in interface SessionAuthenticationStrategy


protected void onSessionChange(String originalSessionId,
                               HttpSession newSession,
                               Authentication auth)
Called when the session has been changed and the old attributes have been migrated to the new session. Only called if a session existed to start with. Allows subclasses to plug in additional behaviour.

originalSessionId - the original session identifier
newSession - the newly created session
auth - the token for the newly authenticated principal


public void setMigrateSessionAttributes(boolean migrateSessionAttributes)


public void setRetainedAttributes(List<String> retainedAttributes)


public void setAlwaysCreateSession(boolean alwaysCreateSession)

Copyright © 2004-2009 SpringSource, Inc. All Rights Reserved.