Skip to content

SessionRepositoryFilter#changeSessionId does not copy the previous maxInactiveInterval into the new session #951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
yacota opened this issue Dec 10, 2017 · 3 comments
Closed

SessionRepositoryFilter#changeSessionId does not copy the previous maxInactiveInterval into the new session #951

yacota opened this issue Dec 10, 2017 · 3 comments
Assignees
@vpavic
Labels
in: core type: bug A general bug
Milestone
1.3.2

Comments

@yacota
Copy link

yacota commented Dec 10, 2017

When using SpringSession with ChangeSessionIdAuthenticationStrategy the SessionRepositoryFilter's method, changeSessionId, is invoked. In this code the session variable and the original variable are a reference to the same object, so in the following code extracted from SessionRepositoryFilter.changeSessionId

HttpSessionWrapper newSession = getSession();
original.setSession(newSession.getSession());
newSession.setMaxInactiveInterval(session.getMaxInactiveInterval());

in the second line we are effectively overwriting the internal session object of the same HttpSessionWrapper, referenced by our original AND session variables.
So in the third line we have lost the reference to the previously stored maxInactiveInterval value

The solution is as simply as

HttpSessionWrapper newSession = getSession();
int previousValue = session.getMaxInactiveInterval();
original.setSession(newSession.getSession());
newSession.setMaxInactiveInterval(previousValue);
@vpavic vpavic self-assigned this Dec 22, 2017
@vpavic
Copy link
Contributor

vpavic commented Dec 22, 2017

Thanks for the report @yacota - I assume this is with Spring Session 1.3.x?

@yacota
Copy link
Author

yacota commented Dec 28, 2017
edited
Loading

Happy to help, yes the code described belongs to 1.3.1 version
Today I've seen that @rwinch changed the way "changeSessionId" works in

#835

By reviewing you changes I think that the bug is solved in master

@vpavic
Copy link
Contributor

vpavic commented Jan 3, 2018

Thanks for following up @yacota.

Yes, this looks like a bug affecting 1.3.x branch. As you noted yourself, the master i.e. 2.0.x isn't affected due to HttpServletRequest#changeSessionId being fully implemented in #835.

@vpavic vpavic added type: bug A general bug in: core labels Jan 3, 2018
@vpavic vpavic added this to the 1.3.2 milestone Jan 28, 2018
vpavic added a commit that referenced this issue Jan 29, 2018
@vpavic
Fix SessionRepositoryFilter not retaining original `maxInactiveInte…
2d3001a 
…rval`

Closes gh-951
@vpavic vpavic closed this as completed Jan 29, 2018
@vpavic vpavic changed the title SessionRepositoryFilter's method, changeSessionId, does not copy the previous maxInactiveInterval into the new session SessionRepositoryFilter#changeSessionId does not copy the previous maxInactiveInterval into the new session Feb 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vpavic vpavic

Labels
in: core type: bug A general bug
Projects
None yet
Milestone
1.3.2
Development

No branches or pull requests
2 participants
@vpavic @yacota