I’m writing a web app using grails and spring-security 3.0.3 which requires me to keep a databse record of all successful logins, including the username, time, ip, and sessionId.

I have created a login listener as so(groovy code):

class DpLoginListener implements ApplicationListener<InteractiveAuthenticationSuccessEvent> {
    void onApplicationEvent(InteractiveAuthenticationSuccessEvent event) {
        def source = event.getSource()
        def principal = source.principal
        def details = source.details
        TrafficLogin.withTransaction {
            new TrafficLogin(userId: principal.id, ipAddress: details.remoteAddress, sessionId: details.sessionId ?: 'remember me').save(failOnError: true)
        }
    }
}

This fires as expected when a user logs in, but when someone comes back to a site as a “remember me” user, the sessionId is null. Is this the expected behavior? Shouldn’t a session be created by the time login has succeeded?

I tried to workaround this by adding a separate SessionCreationEvent listener, which would find the latest databse login record for the user and update that row with the correct sessionId as soon as the session exists, but it seems that this session creation event never fires, and I can’t figure out why.

The session creation listener looks like this:

class DpSessionCreatedListener implements ApplicationListener<SessionCreationEvent> {
  void onApplicationEvent(SessionCreationEvent event) {
    def source = event.getSource()
    def principal = source.principal
    def details = source.details
    TrafficLogin.withTransaction {
      def rememberMe = TrafficLogin.find("from TrafficLogin as t where t.userId=? and t.sessionId='remember me' order by t.dateCreated desc", principal.id)
      if (rememberMe) {
        rememberMe.sessionId = details.sessionId
        rememberMe.save(failOnError:true)
      }
    }
  }
}

And a bean is defined for it in my resources.groovy file, in the same manner as the login listener, which fires fine.

Any ideas how to correctly set this sessionId?