Re-login in Flex causing Channel.Connect.Failed error NetConnection.Call.Failed: HTTP: Status 500: url

Question

We are having a problem with re-login in our Flex application using Flex 4, BlazeDS and WebLogic 10.3.5.

The use case causing problems is like the following:

1. Starting application in a browser.
2. Redirect to login form page with j_security_check action.
3. Logging in and using the application.
4. Hitting the "Back" button in the browser.
5. Coming to the login form page again.
6. Logging in again.
7. Getting exception in BlazeDS and catching Fault in Flex/ActionScript.

The exception caught in log on WLS:

[BlazeDS]Unexpected error encountered in Message Broker servlet
flex.messaging.LocalizedException: The FlexSession is invalid.
        at flex.messaging.FlexSession.checkValid(FlexSession.java:943)
        at flex.messaging.FlexSession.getUserPrincipal(FlexSession.java:254)
        at flex.messaging.HttpFlexSession.getUserPrincipal(HttpFlexSession.java:286)
        at flex.messaging.MessageBrokerServlet.service(MessageBrokerServlet.java:296)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
        at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
        at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
        at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
        at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3717)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
        at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
        at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
        at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)

The Fault caught in Flex/ActionScript:

faultCode: Client.Error.MessageSend
faultString: Send failed
faultDetail: Channel.Connect.Failed error NetConnection.Call.Failed: HTTP: Status 500: url: 'http://server:port/web-project/messagebroker/amf'

Seems to be that the BlazeDS get a second session while the first is still valid and active.

Does anyone know, that exactly causes this problem and how to solve them elegantly? I have few tips but don't know if they are suitable enough:

• Catch the Fault in Flex/ActionScript, redirect to a logout page to invalidate sessions, then redirect to the login page and create a new session.
• Disable the "back" button in the browser by JavaScript.

I will appreciate any suggestions, explanations and advice. Thanks.

Answer 1

I had the same problem but I wanted to keep all session attributes, not only Spring ones, so I didn't set migrateSessionAttributes to false to keep non-spring attributes on session fixation.

I end up overriding SessionFixationProtectionStrategy, so I can still benefits of session fixation that will migrate all attributes.

In onSessionChange method, I removed specifically the "__flexSession" attribute

package xxxxx;

import javax.servlet.http.HttpSession;

import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
import org.springframework.stereotype.Component;


@Component
public class MySessionFixationProtectionStrategy extends SessionFixationProtectionStrategy {
    private static String FLEX_SESSION_ATTRIBUTE = "__flexSession";

    @Override
    protected void onSessionChange(String originalSessionId, HttpSession newSession, Authentication authentication) {
        // We remove the flex session attribute to avoid "The FlexSession is invalid." exception
        newSession.removeAttribute(FLEX_SESSION_ATTRIBUTE);

        super.onSessionChange(originalSessionId, newSession, authentication);
    }
}

Answer 2

The problem is session fixation.

What happens:

• You login
• You get a session
• You get FlexSession (set as session attribute)
• You click back button
• You login (passing in the old jsessionid)

Spring's SessionFixationProtectionStrategy:

• detects the session for the jsessionid is valid
• extracts old session's attributes
• invalidate session (destroys it)
• create new session
• transfers old session's attributes to new session

The FlexSession becomes 'invalid' when the old session gets destroyed.

FlexSessions are created again when a session is created, and since the strategy passes the same reference that gets invalidated (in thick russian accent) "we have problem"

This was easily solved by setting the strategies bMigrateAttributes to false:

<security:session-management session-authentication-strategy-ref="sas" />
  <bean id="sas class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"   p:migrateSessionAttributes="false"/>

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/session-mgmt.html

hope this helps