Can you open a JIRA issue for this with the Spring Security project? Thanks Scott
On Tue, Jan 11, 2011 at 5:26 AM, fdubois <[email protected]> wrote: > Hello, > > I have a problem with the Single Sign Out feature working with > session-fixation protection feature. > > Indeed, Spring Security ConcurrentSessionControlStrategy always invalidate > the existing session (call of session.invalidate()) and create new one to > prevent from session-fixation attacks. > > So, after CAS login process, > SingleSignOutHttpSessionListener.sessionDestroyed() is called causing "ST to > original session association" to be removed from SESSION_MAPPING_STORAGE. > > When a single sign out request is post, the new session isn't invalidate > because "ST to new session association" were never been registered in > SESSION_MAPPING_STORAGE. > > Versions : > Spring Security 3.0.5.RELEASE > Spring Security CAS Client 3.0.5.RELEASE > Cas Client Core 3.1.10 > Cas Server 3.4.4 > > Thanks for reply > Fabrice DUBOIS > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
