From a45d2a4fb2d475add70c795310c69f7e557c8749 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke@hregnula.local>
Date: Tue, 20 Apr 2010 18:04:22 +0100
Subject: [PATCH] SEC-1462: Only apply session fixation protection strategy if
 request.isRequestedSessionIdValid() returns true. We don't need to create a
 new session if the current one already has a different Id from the client.

---
 .../session/SessionFixationProtectionStrategy.java       | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java b/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java
index 29406d261e..1d84114528 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java
@@ -55,8 +55,11 @@ public class SessionFixationProtectionStrategy implements SessionAuthenticationS
     /**
      * Called when a user is newly authenticated.
      * <p>
-     * If a session already exists, a new session will be created, the session attributes copied to it (if
-     * <tt>migrateSessionAttributes</tt> is set) and the sessionRegistry updated with the new session information.
+     * If a session already exists, and matches the session Id from the client, a new session will be created, and the
+     * session attributes copied to it (if <tt>migrateSessionAttributes</tt> is set).
+     * The sessionRegistry will be updated with the new session information. If the client's requested session Id is
+     * invalid, nothing will be done, since there is no need to change the session Id if it doesn't match the current
+     * session.
      * <p>
      * If there is no session, no action is taken unless the <tt>alwaysCreateSession</tt> property is set, in which
      * case a session will be created if one doesn't already exist.
@@ -73,7 +76,7 @@ public class SessionFixationProtectionStrategy implements SessionAuthenticationS
         // Create new session if necessary
         HttpSession session = request.getSession();
 
-        if (hadSessionAlready) {
+        if (hadSessionAlready && request.isRequestedSessionIdValid()) {
             // We need to migrate to a new session
             String originalSessionId = session.getId();