Home/ Questions/Q 9234119
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T06:42:54+00:00

Update : I’d expected this problem was related to the specific Spring version I

  • 0

Update: I’d expected this problem was related to the specific Spring version I was using, but Rob’s answer indicates it’s probably something specific to my environment. We’ve found a workaround for this particular issue (a filter that manually clears the session on login), so I’ve marked Rob’s answer as correct.

In my Spring application, my sessions are being persisted between logins. I’d like for the session to be cleared on login.

I am using Spring Security 2.0.4 (don’t ask), and my security configuration looks something like this 

<security:http ...
session-fixation-protection="newSession">
...
        <security:logout invalidate-session="true" logout-success-url="/login.html" />
</security:http>

I was under the impression that session-fixation-protection=”newSession” would clear sessions on user logins. Another interesting point is that sessions are being cleared on logout, so invalidate-session=”true” has the desired effect.

When testing, I use the following methods:

@RequestMapping(value = "writeSession")
String writeSession(HttpServletRequest request) {
  request.getSession().setAttribute("username", MySecurityService.getLoggedInUsername());
  ...
}

@RequestMapping(value = "readSession")
String readSession(HttpServletRequest request) {
  log.info("Current username: " + request.getSession().getAttribute("username");
  ...
}

Then I:

  1. Login as user1
  2. Visit writeSession (sets session username to “user1”)
  3. Visit readSession (log output: Current username: user1)
  4. Login as user2 (without logging out)
  5. Visit readSession (log output: Current username: user1)

Note that if I logout between steps 3 and 4, I get the expected results (Current username: null)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I created a sample that demonstrates that in general this should work. See the the so-clear-spring-session-on-login branch of this git repo for a working example.

    There could be a few things that may cause you issues depending on the rest of your configuration.

    • Can you share the rest of your Spring Security configuration? For example, if you are switching between HTTP and HTTPS it may be switching which session is being used. You might refer to the Spring Security FAQ for more details on what can go wrong with sessions.

    • What does the implementation of MySecurityService look like?

    • What does your web.xml look like?

    • 0