SessionRepositoryFilter#changeSessionId does not copy the previous maxInactiveInterval into the new session

[yacota]

When using SpringSession with ChangeSessionIdAuthenticationStrategy the SessionRepositoryFilter's method, changeSessionId, is invoked. In this code the session variable and the original variable are a reference to the same object, so in the following code extracted from SessionRepositoryFilter.changeSessionId

HttpSessionWrapper newSession = getSession();
original.setSession(newSession.getSession());
newSession.setMaxInactiveInterval(session.getMaxInactiveInterval());

in the second line we are effectively overwriting the internal session object of the same HttpSessionWrapper, referenced by our original AND session variables.
So in the third line we have lost the reference to the previously stored maxInactiveInterval value

The solution is as simply as

HttpSessionWrapper newSession = getSession();
int previousValue = session.getMaxInactiveInterval();
original.setSession(newSession.getSession());
newSession.setMaxInactiveInterval(previousValue);

[vpavic]

Thanks for the report @yacota - I assume this is with Spring Session 1.3.x?

[yacota]

Happy to help, yes the code described belongs to 1.3.1 version
Today I've seen that @rwinch changed the way "changeSessionId" works in

#835

By reviewing you changes I think that the bug is solved in master

[vpavic]

Thanks for following up @yacota.

Yes, this looks like a bug affecting 1.3.x branch. As you noted yourself, the master i.e. 2.0.x isn't affected due to HttpServletRequest#changeSessionId being fully implemented in #835.