From cffbefadd1befc26cf497ab6f8e81fc4045cd9eb Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Sun, 6 Oct 2013 17:13:40 -0500 Subject: [PATCH] SEC-2306: Fix Session Fixation logging race condition Previously session fixation protection could output an incorrect warning that session fixation protection did not work. The code now synchronizes on WebUtils.getSessionMutex(..). --- ...bstractSessionFixationProtectionStrategy.java | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/session/AbstractSessionFixationProtectionStrategy.java b/web/src/main/java/org/springframework/security/web/authentication/session/AbstractSessionFixationProtectionStrategy.java index 444e250959..57c9ab51b0 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/session/AbstractSessionFixationProtectionStrategy.java +++ b/web/src/main/java/org/springframework/security/web/authentication/session/AbstractSessionFixationProtectionStrategy.java @@ -26,6 +26,7 @@ import org.springframework.context.ApplicationEventPublisher; import org.springframework.context.ApplicationEventPublisherAware; import org.springframework.security.core.Authentication; import org.springframework.util.Assert; +import org.springframework.web.util.WebUtils; /** * A base class for performing session fixation protection. @@ -70,12 +71,19 @@ abstract class AbstractSessionFixationProtectionStrategy implements SessionAuthe HttpSession session = request.getSession(); if (hadSessionAlready && request.isRequestedSessionIdValid()) { - // We need to migrate to a new session - String originalSessionId = session.getId(); - session = applySessionFixation(request); + String originalSessionId; + String newSessionId; + Object mutex = WebUtils.getSessionMutex(session); + synchronized(mutex) { + // We need to migrate to a new session + originalSessionId = session.getId(); - if (originalSessionId.equals(session.getId())) { + session = applySessionFixation(request); + newSessionId = session.getId(); + } + + if (originalSessionId.equals(newSessionId)) { logger.warn("Your servlet container did not change the session ID when a new session was created. You will" + " not be adequately protected against session-fixation attacks"); }