In my application I have an embedded jetty server (version 8.1.2) running a web application that uses spring web security.
The jetty server is configured to use the JDBCSessionManager

One of the security filters that spring employs is a subclass of AbstractAuthenticationProcessingFilter, in it, it has a SessionAuthenticationStrategy which by default is a SessionFixationProtectionStrategy. This protection strategy creates a new session, as a copy of the original session and invalidates the old one.

Now when I try to login to the web application, I see that a new session is created, but the authentication attributes that are added to the new session are not written back to the database. Moreover, I see that the old session is written to the database with new attributes even though it was invalidated.

Finally, when a new http request arrives as part of the new session, it does not pass authentication because of the above.

After some investigation, I found that this behavior does not happen in older versions of jetty (I tried 7.1.4), and I see that the new session data is written to the database.

I could of course solve this issue by any of the following:

• Use an older version of jetty
• Disable the session fixation protection strategy
• Use the default session manager instead of the JDBCSessionManager

But assuming non of the above options are valid for me, I was wondering if there is any solution to this problem.

Thanks!