Description
Describe the bug
I use org.springframework.security.core.session.SessionRegistry to store the sessions of 2 tomcat instances in a database.
I used version 3.1.2 of spring and spring-security in the past, which doesn't had session-fixation-protection set, so according to the docs migrateSession should be used. After upgrading all libraries (to switch from Java 8 to OpenJDK 11), it happened, that very often (or always) the session were not removed from the SessionRegistry. According to the docs the new default-value changeSessionId was used. I set session-fixation-protection="migrateSession" and everything worked again without a problem.
Versions:
Apache Tomcat 9
Spring: 5.3.6
Spring-Security: 5.4.6
This issue seems to be related, since my customer gave me the same steps to reproduce my problem:
#3704
According to this
#5439
the SessionRegistry should work with changeSessionId
To Reproduce
Expected behavior
SessionRegistry should work for every session-fixation-protection.
Sample
`
<form-login login-page="/login.jsf"
login-processing-url="/security_check"
authentication-success-handler-ref="loginSuccessHandler" />
<logout invalidate-session="false" logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
<session-management
session-fixation-protection="migrateSession"
invalid-session-url="/login.jsf">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="true"
expired-url="/login.jsf" session-registry-ref="sessionRegistry" />
</session-management>
`