Duplicate pre-auth Session Id same as of already logged in user #16961
Labels
Comments
HavyakaX07
added
status: waiting-for-triage
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Spring Security framework has, assigned an identical(duplicate) pre-auth session ID to a user that was same as previously registered for another user. This results in the session ID already existing and matching the session ID from the client, leading to session attributes being copied to the new session without triggering any of the source code of project related to session management. Consequently, the project source code logic for handling the session is bypassed
To Reproduce
It is sporadic issue and there is no specific way to reproduce the issue. But it is occuring nearly when more than 20 users are attempting to login.
Expected behavior
Spring security should not assign the same pre-auth session id as of already logged in user.
Sample*
From application log it is evident that User "17" logged in with session id ending with 0EF
After User 18 attempts to log in, they are assigned a pre-auth session ID identical to User 17's, ending with 0EF. This session ID then changes to one ending with 5BA. Consequently, both User 18 and User 17 communicate with the backend using the same session ID, bypassing the project's source code exception related to session management.
Attached is an image of the application logs that provide proof of this issue during User 18's login.
The text was updated successfully, but these errors were encountered: