These are chat archives for spring-cloud/spring-cloud

4th
Jun 2015
Leon Radley
@leon
Jun 04 2015 08:47

Found the problem I think.
When calling the resource server it’s calling ChangeSessionIdAuthenticationStrategy.
And if I have multiple ajax requests on the go to the same server, one of the requests will come first and return a Set-Cookie changing the session id. And if the other requests have already been asked, they have the wrong session id, since it’s been changed.

I know the ChangeSessionIdAuthenticationStrategy is there to help prevent session fixation. but is there a work around?

Leon Radley
@leon
Jun 04 2015 09:00

I think i figured it out. since the Resource server is stateless, but the SSO isn’t, i needed to add

.sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

to the @EnableResourceServer config otherwise it was interfering with the sso session