rg.springframework.security.web.authentication.session.SessionFixationProtectionStrategy - Invalidating session with Id '1Xih9jabIqjCtnNqIt1e6w__.node1' and migrating attributes.
2012-04-17 16:32:41,481 INFO [STDOUT] (http-0.0.0.0-8080-11) SESSION DESTROYED: 1Xih9jabIqjCtnNqIt1e6w__.node1
2012-04-17 16:32:41,482 INFO [STDOUT] (http-0.0.0.0-8080-11) NEW SESSION CREATED: Mo0vId0MsOE6HS0+TQpZ6Q__.node1 of 3
是否有某种方法可以关闭此SessionFixationProtectionStrategy或修复属性迁移,因为它不会迁移会话属性,这会破坏很多东西?
答案 0 :(得分:4)
可以使用以下方法关闭会话固定保护:
<http [...]>
[...]
<session-management session-fixation-protection="none"/>
[...]
</http>
答案 1 :(得分:0)
或..如果您仍然需要保护自己免受Fixation问题:
<bean id="concurrentSessionControlStrategy"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"
c:sessionRegistry-ref="sessionRegistry"
p:maximumSessions="5"
p:alwaysCreateSession="true"
p:migrateSessionAttributes="true"
p:exceptionIfMaximumExceeded="false"/>