Spring Security SEC-2470: SessionFixationProtectionStrategy should migrate maxInactiveInterval

Dan Dormont (Migrated from SEC-2470) said:

When SessionFixationProtectionStrategy creates a new HTTPSession based on an existing session, even if migrateSessionAttributes is enabled, it does not preserve the maxInactiveInterval value from the previous session.

The Javadoc doesn't say it does, so perhaps this isn't strictly a bug, but it seems like a reasonable expectation that SessionFixationProtectionStrategy would have this behavior.

Comment From: spring-projects-issues

Rob Winch said:

I can understand the confusion, but the session attributes are attributes defined by HttpSession#getAttribute(String). This does not include other properties of HttpSession. I have changed this to an enhancement and scheduled it for the next non-patch release.