From 0acf26254669556755e333e9c6acbdd3a070c7e5 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke@hregnula.local>
Date: Tue, 20 Apr 2010 18:16:45 +0100
Subject: [PATCH] SEC-1462: Added suggested patch (effectively the same as
 changes in 3.0.x and master branches).

---
 .../security/ui/SessionFixationProtectionFilter.java            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/main/java/org/springframework/security/ui/SessionFixationProtectionFilter.java b/core/src/main/java/org/springframework/security/ui/SessionFixationProtectionFilter.java
index 792e6cc33c..d8397878f0 100644
--- a/core/src/main/java/org/springframework/security/ui/SessionFixationProtectionFilter.java
+++ b/core/src/main/java/org/springframework/security/ui/SessionFixationProtectionFilter.java
@@ -48,7 +48,7 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
     protected void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
             throws IOException, ServletException {
         // Session fixation isn't a problem if there's no session
-        if(request.getSession(false) == null || request.getAttribute(FILTER_APPLIED) != null) {
+        if(request.getSession(false) == null || request.getAttribute(FILTER_APPLIED) != null || !request.isRequestedSessionIdValid()) {
             chain.doFilter(request, response);
             return;
         }