diff --git a/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java b/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java
index 75e268523b..d3f2d0868b 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java
@@ -141,13 +141,6 @@ public class ConcurrentSessionControlStrategy extends SessionFixationProtectionS
leastRecentlyUsed.expireNow();
}
- @Override
- protected void onSessionChange(String originalSessionId, HttpSession newSession, Authentication auth) {
- // Update the session registry
- sessionRegistry.removeSessionInformation(originalSessionId);
- sessionRegistry.registerNewSession(newSession.getId(), auth.getPrincipal());
- }
-
/**
* Sets the exceptionIfMaximumExceeded property, which determines whether the user should be prevented
* from opening more sessions than allowed. If set to true, a SessionAuthenticationException
diff --git a/web/src/test/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategyTests.java b/web/src/test/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategyTests.java
new file mode 100644
index 0000000000..c997162fdb
--- /dev/null
+++ b/web/src/test/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategyTests.java
@@ -0,0 +1,63 @@
+package org.springframework.security.web.authentication.session;
+
+import static org.mockito.AdditionalMatchers.not;
+import static org.mockito.Matchers.anyObject;
+import static org.mockito.Matchers.anyString;
+import static org.mockito.Matchers.eq;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.session.SessionRegistry;
+
+/**
+ *
+ * @author Rob Winch
+ *
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class ConcurrentSessionControlStrategyTests {
+ @Mock
+ private SessionRegistry sessionRegistry;
+ @Mock
+ private Authentication authentication;
+
+ private MockHttpServletRequest request;
+ private MockHttpServletResponse response;
+
+ private ConcurrentSessionControlStrategy strategy;
+
+ @Before
+ public void setup() throws Exception {
+ request = new MockHttpServletRequest();
+ response = new MockHttpServletResponse();
+
+ strategy = new ConcurrentSessionControlStrategy(sessionRegistry);
+ }
+
+ @Test
+ public void onAuthenticationNewSession() {
+ strategy.onAuthentication(authentication, request, response);
+
+ verify(sessionRegistry,times(0)).removeSessionInformation(anyString());
+ verify(sessionRegistry).registerNewSession(anyString(), anyObject());
+ }
+
+ // SEC-1875
+ @Test
+ public void onAuthenticationChangeSession() {
+ String originalSessionId = request.getSession().getId();
+
+ strategy.onAuthentication(authentication, request, response);
+
+ verify(sessionRegistry,times(0)).removeSessionInformation(anyString());
+ verify(sessionRegistry).registerNewSession(not(eq(originalSessionId)), anyObject());
+ }
+}