SEC-1379: Added creation of a session if session timeout is detected (requested session ID is invalid).

This prevents problems with repeated detection of the same invalid session when the redirected request comes in.

samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -33,7 +33,7 @@
         <x509 />
 -->
         <!-- Uncomment to limit the number of sessions a user can have -->
-        <session-management invalid-session-url="/something">
+        <session-management invalid-session-url="/timeout.jsp">
             <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
         </session-management>
 

samples/tutorial/src/main/webapp/timeout.jsp

@@ -0,0 +1,13 @@
+<%@page session="false" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core_rt"%>
+
+<html>
+<title>Session Timeout</title>
+<body>
+<h2>Invalid Session</h2>
+
+<p>
+Your session appears to have timed out. Please <a href="<c:url value='/'/>">start again</a>.
+</p>
+</body>
+</html>

web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java

@@ -84,7 +84,8 @@ public class SessionManagementFilter extends GenericFilterBean {
                     logger.debug("Requested session ID" + request.getRequestedSessionId() + " is invalid.");
 
                     if (invalidSessionUrl != null) {
-                        logger.debug("Redirecting to '" + invalidSessionUrl + "'");
+                        logger.debug("Starting new session (if required) and redirecting to '" + invalidSessionUrl + "'");
+                        request.getSession();
                         redirectStrategy.sendRedirect(request, response, invalidSessionUrl);
 
                         return;