Session change doesn't remove old session

[finke-ba]

Hello @vpavic.

SpringSessionWebSessionStore in method changeSessionId() only change session id, but doesn't remove old one.

public Mono<Void> changeSessionId() {
	return Mono.defer(() -> {
		this.session
				.changeSessionId();
		return save();
	});
}

But in default implementation of SessionStore - InMemoryWebSessionStore it delete current one first and create new after that:

public Mono<Void> changeSessionId() {
	String currentId = this.id.get();
	InMemoryWebSessionStore.this.sessions.remove(currentId);
	String newId = String.valueOf(idGenerator.generateId());
	this.id.set(newId);
	InMemoryWebSessionStore.this.sessions.put(this.getId(), this);
	return Mono.empty();
}

Was it implemented without deleting old session by purpose and what is the correct way of removing old session in this case?

[vpavic]

Hi @finke-ba, thanks for reaching out.

Conceptually, Spring WebFlux's InMemoryWebSessionStore and Spring Session's SpringSessionWebSessionStore are quite different, because in case of default WebFlux implementation everything's in-memory and there's no concept of session repository like in Spring Session's implementation. When you actually do WebSession#changeSessionId on a WebSession that's backed by Spring Session's ReactiveSessionRepository it's actually repository's responsibility to take care of the removal, as that part is coupled to the concrete data store we're dealing with and its capabilities.

Are you experiencing any concrete problem with this?

[finke-ba]

@vpavic, thank you for the response.
My main problem that in my WebFlux application after logout I still have old session in DB and it's still possible to use this session. I mean if you save session cookie, logout and after that make a request with old cookie you will get previous session from db.
And I ended up in WebSession#changeSessionId which just create new session, but old session still exist and valid. I thought old session should be deleted or invalidated by default, without adding my custom logic somewhere.

[vpavic]

What's the actually ReactiveSessionRepository implementation you're using? Right now we have no information at all about your Spring Session setup. Can you provide a sample application that demonstrates the problem?

[finke-ba]

I'm using ReactiveMongoOperationsSessionRepository. Yes, I could provide example , but it will take some time to make it.

[vpavic]

MongoDB implementation is handled by separate project - you should open an issue against spring-session-data-mongodb repo. Once you do that, feel free to post a link to that issue here.

I'm going to close this for now, if it turns out this is a problem in Spring Session core, we can always reopen the issue later on.

[finke-ba]

@vpavic could you tell me please why WebSession#changeSessionId it's not implemented like this:

@Override
public Mono<Void> changeSessionId() {
	return Mono.defer(() -> {
		this.session.changeSessionId();
		return invalidate().then(save());
	});
}

[finke-ba]

@vpavic please check this example - https://github.com/finke-ba/webflux-logout-not-delete-session-example

[vpavic]

As explained in previous comment, this is a responsibility of ReactiveSessionRepository that SpringSessionWebSessionStore delegates to.

For example, in Redis implementation this project provides, this is handled by Redis rename command:

spring-session/spring-session-data-redis/src/main/java/org/springframework/session/data/redis/ReactiveRedisSessionRepository.java

Lines 305 to 306 in e2abe36

	return ReactiveRedisSessionRepository.this.sessionRedisOperations.rename(originalSessionKey, sessionKey)
	.and(replaceSessionId);

So the problem really is in MongoDB implementation, and should be reported in the appropriate project.

[finke-ba]

Okey, thank you for you help a lot!
I'll report this issue to spring-session-data-mongodb.