Clear Spring Session for login?

Update . I expected this issue to be related to the specific version of Spring I was using, but Rob's answer indicates that this is probably something specific to my environment. We found a workaround for this particular issue (a filter that manually clears the session on login), so I answered Rob's answer correctly.

In my Spring application, my sessions persist between logins. I would like the session to be cleared on login.

I am using Spring Security 2.0.4 (not asking) and my security configuration looks something like this:

<security:http ...
session-fixation-protection="newSession">
...
        <security:logout invalidate-session="true" logout-success-url="/login.html" />
</security:http>

      

        
        
        
      

    

I was under the impression that session-fixation-protection = "newSession" will clear sessions from user login. Another interesting point is that sessions are cleared on logout, so invalidate-session = "true" has the desired effect.

When testing, I use the following methods:

@RequestMapping(value = "writeSession")
String writeSession(HttpServletRequest request) {
  request.getSession().setAttribute("username", MySecurityService.getLoggedInUsername());
  ...
}

@RequestMapping(value = "readSession")
String readSession(HttpServletRequest request) {
  log.info("Current username: " + request.getSession().getAttribute("username");
  ...
}

      

        
        
        
      

    

Then I:

• Login as user1
• Visit the writeSession function (sets the session username of user "user1")
• Visit readSession (log output: Current username: user1)
• Login as user2 (no logout)
• Visit readSession (log output: Current username: user1 )

Note that if I exit the steps between steps 3 and 4, I get the expected results (Current username: null)