Home/ Questions/Q 6012861
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T02:27:55+00:00

I’m using spring security 3.0 with Spring MVC. My Java Web application is a

  • 0

I’m using spring security 3.0 with Spring MVC. My Java Web application is a Shopping cart. I’m using a Service that store a shopping list in session, When User A create a shopping list, and then proceed to logout and login again, the shopping list is restored as normal, but if another User B go to the same Application, using the SAME browser and proceed to login, the session is restored using the Shopping list of User A!.

What I can understand is that the JSESSION cookie doesn’t change when user A logout in the same browser. That is the reason that if User A login to the application using another browser, he doesn’t have the same session data, the JSESSION cookie is different.

I’m using my own authentication success handler for login and logout.

    <http auto-config="true" use-expressions="true">
    <intercept-url pattern="/index.html" access="permitAll"/>
    <form-login login-page="/index.html"
              default-target-url="/index.html"
              authentication-success-handler-ref = "loginSuccessHandler"
              />

    <logout  invalidate-session="false" logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
   <!-- <logout  invalidate-session="false" success-handler-ref="logoutSuccessHandler" /> -->
</http>

And yes using invalidate-session = “true” might be a short-time solution, but in this way I cannot use data saved in session.

What i want is that when UserA log in a browser, save some data to session (the shopping list), and then logout, make UserB have his own session, instead of using the session of UserA, i suspect that the answer is in asigning a new cookie to userB, but also, to asign the old cookie to UserA.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The closest you will get is a <session-managemement> element.

    • If you set the session-fixation-protection attribute set to "migrateSession", the new token will have the session attributes from the old token.

    • If you set it to "newSession" the session attributes will be discarded.

    Refer to the SpringSecurity manual for more details.

    What i want is that when UserA log in a browser, save some data to session (the shopping list), and then logout, make UserB have his own session, instead of using the session of UserA, i suspect that the answer is in asigning a new cookie to userB, but also, to asign the old cookie to UserA.

    I don’t think that you will achieve this by simply changing the session token. The problem is that the browser only stores one session token. Once the token has been changed, the browser has no knowledge of the old token value and the server has no knowledge of who owns the old token. If you want the shopping list to persist beyond the end of the session (i.e. after UserA logs out), you will have to persist it somewhere else.

    • 0