From 0974e21fb621d604e65141cca1dd1116e8ae42da Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Sat, 23 Jan 2010 00:10:32 +0000
Subject: [PATCH] SEC-1379: Added creation of a session if session timeout is
 detected (requested session ID is invalid).

This prevents problems with repeated detection of the same invalid session when the redirected request comes in.
---
 .../webapp/WEB-INF/applicationContext-security.xml  |  2 +-
 samples/tutorial/src/main/webapp/timeout.jsp        | 13 +++++++++++++
 .../web/session/SessionManagementFilter.java        |  3 ++-
 3 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 samples/tutorial/src/main/webapp/timeout.jsp

diff --git a/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml b/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml
index 1e3309df18..129ffb4f53 100644
--- a/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml
+++ b/samples/tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml
@@ -33,7 +33,7 @@
         <x509 />
 -->
         <!-- Uncomment to limit the number of sessions a user can have -->
-        <session-management invalid-session-url="/something">
+        <session-management invalid-session-url="/timeout.jsp">
             <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
         </session-management>
 
diff --git a/samples/tutorial/src/main/webapp/timeout.jsp b/samples/tutorial/src/main/webapp/timeout.jsp
new file mode 100644
index 0000000000..10e7fc7c92
--- /dev/null
+++ b/samples/tutorial/src/main/webapp/timeout.jsp
@@ -0,0 +1,13 @@
+<%@page session="false" %>
+<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core_rt"%>
+
+<html>
+<title>Session Timeout</title>
+<body>
+<h2>Invalid Session</h2>
+
+<p>
+Your session appears to have timed out. Please <a href="<c:url value='/'/>">start again</a>.
+</p>
+</body>
+</html>
diff --git a/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java b/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java
index 155cd75284..9c81fc62d4 100644
--- a/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java
+++ b/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java
@@ -84,7 +84,8 @@ public class SessionManagementFilter extends GenericFilterBean {
                     logger.debug("Requested session ID" + request.getRequestedSessionId() + " is invalid.");
 
                     if (invalidSessionUrl != null) {
-                        logger.debug("Redirecting to '" + invalidSessionUrl + "'");
+                        logger.debug("Starting new session (if required) and redirecting to '" + invalidSessionUrl + "'");
+                        request.getSession();
                         redirectStrategy.sendRedirect(request, response, invalidSessionUrl);
 
                         return;