Spring Security Session is not invalidated on logout

Describe the bug On logout in a Reactive application, the WebSession is not invalidated.

To Reproduce 1. Login with a user. 2. Add attributes to the session. 3. Logout. 4. Login with the same or another user from the same browser. 5. Attributes added in step 2 are available in the new session.

See SessionInvalidationTest.java in the sample repo for the reproducer test case.

Reproduced for HTTP Basic in the provided test case and in OAuth2 login/logout in the product code.

Expected behavior WebSession is invalidated on logout.

Actual behavior Only the ID of the session (WebSession#changeSessionId) and security context attribute is updated.

Workaround Add a custom ServerLogoutHandler wrapped in a DelegatingServerLogoutHandler to join it with the default SecurityContextServerLogoutHandler:

.logout(logout -> logout
    .logoutHandler(new DelegatingServerLogoutHandler(
             new SecurityContextServerLogoutHandler(),
             (exchange, authentication) -> exchange.getExchange()
                       .getSession()
                       .flatMap(WebSession::invalidate)
    ))
)

Sample https://github.com/orange-buffalo/spring-security-session-invalidation-reproducer

Comment From: marcusdacoregio

Hi @orange-buffalo, thanks for the report. It seems like you did it in the right way!

I will close this issue as resolved but I'll tag @jzheaux to help to confirm that this is the expected behavior, if not we reopen it.

Comment From: jzheaux

Yes, this is correct since there is no WebSessionServerLogoutHandler. However, I think it would be good to add this implementation. @orange-buffalo are you able to supply a PR for https://github.com/spring-projects/spring-security/issues/4838 which would introduce this logout handler?

Comment From: orange-buffalo

Yes, I should be able to handle it. Will be busy during the nearest days, so will start with this in a couple of weeks.