erlendfg
commented
5 years ago I upgraded Spring Security and Spring Security Oauth to version 5.1.6 and 2.3.6 respectively, but we're still facing the same problem with multiple sessions cookies.
Open erlendfg opened 5 years ago
erlendfg
commented
5 years ago I upgraded Spring Security and Spring Security Oauth to version 5.1.6 and 2.3.6 respectively, but we're still facing the same problem with multiple sessions cookies.
erlendfg
commented
5 years ago Only one session cookie is created if I use Spring Security's own OIDC implementation, introduced in version 5. Even though I have found a work-around, I will keep this issue open in case there is a bug in Spring Security Oauth2. By the way, I have answered my own question in Stackoverflow: https://stackoverflow.com/questions/53480737/spring-session-redis-and-oauth2-not-working-together
Summary
Spring Security Oauth will not store clustered sessions when Spring Session is enabled, at least using Redis as a session repository. It seems that Spring Security Oauth does not use the replaced HttpSession, even though Spring Security does. When Spring Session is disabled, everything works as expected and only one session is being created.
Actual Behavior
Two session cookies are being created, one by Spring Session and another by Spring Security Oauth. See screenshot: http://folk.uio.no/erlendfg/oidc/two-sessions.png
Expected Behavior
Only one session cookie should be created.
Configuration
Configuration is included in the sample, see below.
Version
2.3.5.RELEASE
Sample
I have created a small Maven application in order to demonstrate this behaviour. Links to the application, sample code and screenshot of duplicate sessions are available in Stackoverflow: https://stackoverflow.com/questions/53480737/spring-session-redis-and-oauth2-not-working-together