Hello, I have a problem with the Single Sign Out feature working with session-fixation protection feature.
Indeed, Spring Security ConcurrentSessionControlStrategy always invalidate the existing session (call of session.invalidate()) and create new one to prevent from session-fixation attacks. So, after CAS login process, SingleSignOutHttpSessionListener.sessionDestroyed() is called causing "ST to original session association" to be removed from SESSION_MAPPING_STORAGE. When a single sign out request is post, the new session isn't invalidate because "ST to new session association" were never been registered in SESSION_MAPPING_STORAGE. Versions : Spring Security 3.0.5.RELEASE Spring Security CAS Client 3.0.5.RELEASE Cas Client Core 3.1.10 Cas Server 3.4.4 Thanks for reply Fabrice DUBOIS -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
