This repository was archived by the owner on Apr 4, 2025. It is now read-only.
Session Fixation Change Session ID Keeps Old Anonymous Session #222
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
An anonymous user session with principal=null is created in Mongo when I enter my app. The user authenticates with Spring Security SAML2. Session fixation protection kicks in and changes the session ID on HttpSession but on Mongo it does not change the ID, it creates a whole new session with principal=user.
Is it a bug or intended behavior that there are now 2 session records for that user, one with principal=null and another with principal=user?
How can I delete that anonymous session or change the session ID so there is only 1 session after auth?
Dependencies:
The text was updated successfully, but these errors were encountered: