Not able to login when restart server while logined

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Not a Bug
  • Affects Version/s: 3.0.1
  • Fix Version/s: 3.0.2
  • Component/s: controller
  • Labels:
    None

Description

When server is restarted while being logged in. Sometimes it's fail to login again. It's because some session and related cookie are remained in the spring security context.

I found following line in applicationContext-security.xml
<session-management invalid-session-url="/login" session-fixation-protection="migrateSession" />

migrateSession is

  • Indicates whether an existing session should be invalidated when a user authenticates and a new session
    started. If set to "none" no change will be made. "newSession" will create a new empty session.
    "migrateSession" will create a new session and copy the session attributes to the new session. Defaults to
    "migrateSession".

We may need newSession instead here.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
JunHo Yoon added a comment -

Mavlarn.. Please follow-up this issue.

Show
JunHo Yoon added a comment - Mavlarn.. Please follow-up this issue.
Hide
Permalink
Mavlarn Tuohuti added a comment -

It is related with tomcat configuration. In default, Tomcat will save sessions and use them after restart. But in our system, the session is not valid.
In tomcat's config:
<Context>

<!-- Default set of monitored resources -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>

<!-- Uncomment this to disable session persistence across Tomcat restarts -->
<!--
<Manager pathname="" />
-->

</Context>

And the configuration of "session-fixation-protection" is used to protect from session stealing attack, I think it is not related with that problem.

Show
Mavlarn Tuohuti added a comment - It is related with tomcat configuration. In default, Tomcat will save sessions and use them after restart. But in our system, the session is not valid. In tomcat's config: <Context> <!-- Default set of monitored resources --> <WatchedResource>WEB-INF/web.xml</WatchedResource> <!-- Uncomment this to disable session persistence across Tomcat restarts --> <!-- <Manager pathname="" /> --> </Context> And the configuration of "session-fixation-protection" is used to protect from session stealing attack, I think it is not related with that problem.
Hide
Permalink
Mavlarn Tuohuti added a comment -

User should modify the tomcat configuration.

Show
Mavlarn Tuohuti added a comment - User should modify the tomcat configuration.
Hide
Permalink
JunHo Yoon added a comment -

Already done

Show
JunHo Yoon added a comment - Already done

People

  • Assignee:
    Mavlarn Tuohuti
    Reporter:
    JunHo Yoon
Vote (0)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved: