Apache Ignite seems to cause session fixation

Question

I'm using Apache Ignite to cluster web sessions, and use Spring security to do the form-based authentication. The software I use are:

JDK 1.8.0_60
Apache Tomcat 7.0.68
Apache Ignite 1.5.0.final
Spring Security 3.1.3.RELEASE

(Without Apache Ignite, the form based authentication works fine, and the JSESSIONID cookie gets changed upon the success of authentication to protect against session fixation attacks, as expected.)

With Apache Ignite, I cannot log in, and I get the following warning:

2016-04-18 16:49:07,283 WARN  org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy/onAuthentication 102 - Your servlet container did not change the session ID when a new session was created. You will not be adequately protected against session-fixation attacks

If I turn off session fixation protection in the Spring configuration as below:


    ...
    
    ...

It works. (However as a result, the JSESSIONID cookie does not change upon the success of authentication.)

Yuci · Accepted Answer

As advised by Valentin (, thanks), I tried the nightly build from Apache Ignite, of version 1.6.0-SNAPSHOT#20160419-sha1:186c8604. Indeed, it works.

It works with the following Spring security configuration:


    ...
    
    ...

And of course the JSESSIONID cookie does not change upon the success of Spring security authentication.

Then I comment out the following configuration:

It also works. And upon the success of authentication, the JSESSIONID cookie gets changed as it is supposed to do.

OK, I'll use Ignite version 1.5.0.final for now (with no session-fixation-protection), and wait for the release of version 1.6.x.

Apache Ignite seems to cause session fixation

Answers (2)

Related Questions