Cannot get object from Session

Question

I have the following scenario:

I access to a web application - that makes use of spring security, create an object in session, let us say a cart with some entries.
I access the application using a restful client. I do have: user, password, JSESSIONID cookie with its corresponding value. Both are using basic authentication.

The result? I get the object - the cart on this case - but it comes empty. It does not have the entries that were added. It is almost like - even though I was able to authenticate successfully there is a mechanism in place that creates a new instance of the object, instead of giving me the existing one.

Do you have any idea of spring security is somehow not allowing this to happen.

I also noticed that... I send the Cookie JSESSIONID=Number and when it responds it gives me a different Number for JSESSIONID, my assumption is that even though I have the wright credentials and it allows me to log in, it does not allow me to use the same session, it simply creates a new one and my cart is empty there.

Any help will be greatly appreciated!

Are you sure you send the same cookie? Please use Fiddler to ensure you send the same JSESSIONID — Michael, May 03 '13 at 12:35
Thank you very much for your comments Michael! I am currently testing Fiddler and I will let you know how it went. — user1532449, May 06 '13 at 13:53

Michael · Answer 1 · 2013-05-03T07:48:09.030

SpringSecurity replaces JSESSIONID cookie after the authentication (and it is strongly recommended not to disable the feature to prevent the Session Fixation attack). The following configuration enables the feature

<http ...>
    ...
    <session-management session-fixation-protection="migrateSession" />
</http>

To copy the the existing session attributes use migrateSession.

The attributes values according to the documentation http://static.springsource.org/spring-security/site/docs/3.2.x/reference/springsecurity-single.html#session-mgmt :

migrateSession - creates a new session and copies the existing session attributes to the new session. This is the default.
none - Don't do anything. The original session will be retained.
newSession - Create a new "clean" session, without copying the existing session data.

score 0 · Answer 2 · answered May 02 '13 at 16:08

0

Spring creates a new session on authentication. This is called Session Fixation Protection. Read more about it here:

http://static.springsource.org/spring-security/site/docs/current/reference/ns-config.html#ns-session-fixation

answered May 02 '13 at 16:08

kevin847

1,058
1
7
15

Thank you very much Kevin. I already removed the protection for that by doing the following: Here is what I am doing: 1.- Access the web app, 2.- Get the value for the JSESSIONID cookie, 3.- Access with a RESTFul client, using the same credentials, authentication (basic) and I send the JSESSIONID cookie with the value I got at 2. But still, even though I can authenticate it always creates a new session and therefore my cart comes back empty. Any idea of how to overcome this? Thanks again for your kind help! – user1532449 May 02 '13 at 18:19
Can you share your spring security configuration? – kevin847 May 02 '13 at 21:16

Cannot get object from Session

2 Answers2