SessionFixationProtectionEvent is not published in Spring WebFlux #9189
Labels
in: web
An issue in web modules (web, webmvc)
status: invalid
An issue that we don't feel is valid
type: bug
A general bug
Describe the bug
with the default configuration, spring security invalidates the existing session when the user authenticates and creates a new one. it is sensible to prevent session fixation attack.
SessionFixationProtectionEvent is not working when I use it in ApplicationListener implementation.
To Reproduce
Expected behavior
there is no stdout logs in console.
Sample
just create secure webflux project. for example, /hello api.
/hello (session-id=x)
/login (redirected to login,session-id=x)
after successfull authentication, session-id is set to y.
/hello (session-id=y)
The text was updated successfully, but these errors were encountered: