CODEWITHSUNDEEP
javaspringspring-mvcservletsspring-boot
SKS
SKS

Reputation: 133

HttpSessionListener doesn't work

I have implemented HttpSessionListiner but it doesn't work. Checked it with debuger - new session creates after entering servlet, JSESSION_ID changes after login, but session.getCreateTime() stays the same(session stays the same?). Using annotations, Spring Security. Maybe i missed some config in spring security?

import javax.servlet.annotation.WebListener;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;

import org.apache.log4j.Logger;

@WebListener
public class SessionListener implements HttpSessionListener {

    private static int totalActiveSessions;
    private static final Logger log = Logger.getLogger(SessionListener.class);  

    @Override
    public void sessionCreated(HttpSessionEvent se) {
        totalActiveSessions++;
        log.warn("sessionCreated - add one session into counter");
    }

    @Override
    public void sessionDestroyed(HttpSessionEvent se) {
        totalActiveSessions--;
        log.debug("sessionDestroyed - deleted one session from counter");
    }
}

Upvotes: 5

Views: 5981

Answers (2)

Mark Pollard
Mark Pollard

Reputation: 19

To avoid a session fixation attack, Spring changes the session ID after the user is authenticated. You must also implement HttpSessionIdListener:

public class SessionListener implements HttpSessionListener, HttpSessionIdListener {

    private static final Logger LOGGER = LoggerFactory.getLogger(SessionListener.class);

    public SessionListener() {
    }

    @Override
    public void sessionCreated(final HttpSessionEvent event) {
        logIt(event.getSession(), "CREATED  ");
    }

    @Override
    public void sessionDestroyed(final HttpSessionEvent event) {
        logIt(event.getSession(), "DESTROYED");
    }

    private void logIt(HttpSession session, String action) {
        LOGGER.info("{}: {}, {}", action, session.getId(), Long.valueOf(session.getCreationTime()));
    }

    @Override
    public void sessionIdChanged(HttpSessionEvent event, String oldSessionId) {
        HttpSession session = event.getSession();
        LOGGER.info("CHANGED  : {} --> {}, {}", oldSessionId, session.getId(), Long.valueOf(session.getCreationTime()));
    }

}

Upvotes: 0

SKS
SKS

Reputation: 133

@Bean
public ServletListenerRegistrationBean<HttpSessionListener> sessionListener() {
    return new ServletListenerRegistrationBean<HttpSessionListener>(new sessionListener());
}

This bean registrated my listener. I haven't found another solution.

Upvotes: 4

Related Questions