Package org.springframework.security.web.authentication.session

package org.springframework.security.web.authentication.session

Strategy interface and implementations for handling session-related behaviour for a newly authenticated user.

Comes with support for:

• Protection against session-fixation attacks
• Controlling the number of sessions an authenticated user can have open

Related Packages

Package	Description
org.springframework.security.web.authentication	Authentication processing mechanisms, which respond to the submission of authentication credentials using various protocols (eg BASIC, CAS, form login etc).

Class	Description
AbstractSessionFixationProtectionStrategy	A base class for performing session fixation protection.
AbstractSessionFixationProtectionStrategy.NullEventPublisher
ChangeSessionIdAuthenticationStrategy	Uses HttpServletRequest.changeSessionId() to protect against session fixation attacks.
CompositeSessionAuthenticationStrategy	A SessionAuthenticationStrategy that accepts multiple SessionAuthenticationStrategy implementations to delegate to.
ConcurrentSessionControlAuthenticationStrategy	Strategy which handles concurrent session-control.
NullAuthenticatedSessionStrategy
RegisterSessionAuthenticationStrategy	Strategy used to register a user with the SessionRegistry after successful Authentication.
SessionAuthenticationException	Thrown by an SessionAuthenticationStrategy to indicate that an authentication object is not valid for the current session, typically because the same user has exceeded the number of sessions they are allowed to have concurrently.
SessionAuthenticationStrategy	Allows pluggable support for HttpSession-related behaviour when an authentication occurs.
SessionFixationProtectionEvent	Indicates a session ID was changed for the purposes of session fixation protection.
SessionFixationProtectionStrategy	Uses HttpServletRequest.invalidate() to protect against session fixation attacks.