Describe the bug
Spring Session cannot handle Spring Boot 2.3 and 2.4 sessions in parallel, because the serialization of SecurityContextImpl is whether backward nor forward compatible:
java.io.InvalidClassException: org.springframework.security.core.context.SecurityContextImpl; local class incompatible: stream classdesc serialVersionUID = 540, local class serialVersionUID = 530
````
This makes it impossible to migrate from Spring Boot 2.3 to 2.4 without downtimes.
**To Reproduce**
Use Spring Session (e.g. Redis) to share sessions between Spring Boot 2.3 and 2.4. applications.
**Expected behavior**
No serialization failures. 2.3 sessions can be handled by 2.4 and vice versa.
**Comment From: eleftherias**
Thanks for the report @markusheiden.
Spring Security is not intended to be serialized between versions. See #1945 for the explanation.
There are some suggestions on how this might work in the future in #3737.
To mitigate this, you can invalidate the sessions, which will let users get a new one.
You can also switch to Jackson serialization to avoid this issue in future version upgrades. See #3736
**Comment From: markusheiden**
It is hard to find documentation for the JSON serialization.
An example is linked in https://docs.spring.io/spring-session/docs/current/reference/html5/#samples
**Comment From: markusheiden**
LDAP JSON support is missing.
See https://github.com/spring-projects/spring-security/pull/9263
**Comment From: markusheiden**
Session invalidation is no solution, when using rolling updates or canary deployments. The sessions (of two versions of Spring Security) have to co-exist for that with backward and forward compatibility. Currently there is no good solution to this problem, because the above mentioned JSON support in not well documented and incomplete.
The only solution in this scenario is to use session pinning, so that the users just have to re-login once. But session pinning is considered an anti pattern for scalability.
But anyway: Thanks for the pointer to the JSON support! :-)
**Comment From: kramer**
@eleftherias
> To mitigate this, you can invalidate the sessions, which will let users get a new one.
What would be the correct way to do that programmatically since all removal/expiry related methods in `RedisIndexedSessionRepository` rely on loading the session?
**Comment From: sajeerzeji**
Might be issues with different spring boot versions, I was able to fix it once I get all my services to one version
**Comment From: zkirill**
We ran into this too on Spring Boot and wanted to share a few notes because this issue comes up on search.
To avoid bouncing the user between two session versions during a rolling deployment we temporarily enabled sticky sessions (session affinity) on our load balancer ([ALB](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html)).
We use Redis solely for storing sessions. To avoid needing to execute ```$ redis-cli keys 'spring:session:*' | xargs redis-cli del``` in order to invalidate all sessions, we instead switched the Redis database index in our `application.properties` with `spring.redis.database=1`. Another way would have been to change the namespace `spring.session.redis.namespace=spring:session-2` but the former seemed cleaner and we didn't need anything in the default database index 0. The benefit of doing this over invalidating all sessions immediately was that the user would have only been signed out once when the instance to which they were "stuck" got deregistered by the load balancer.
Following the advice to switch to Jackson serialization we encountered serialization errors (spring-projects/spring-security/issues/4370) regarding classes that are not allowlisted. It seems that the classes needed for setting flash attributes in sessions (listed below) need to be added to ObjectMapper manually. I'm not sure what other classes are missing and how to find them without trial and error.
```java
java.util.concurrent.CopyOnWriteArrayList
org.springframework.web.servlet.FlashMap
Comment From: EvertonSA
It is hard to find documentation for the JSON serialization.
An example is linked in https://docs.spring.io/spring-session/docs/current/reference/html5/#samples
Comment From: BenArunski
Depending on the version you are using, a link like this should work - it includes a link to JSON serialization ("current" in the link provided in Dec-2020 is no longer "current")
https://docs.spring.io/spring-session/docs/2.3.x/reference/html5/#samples
It is hard to find documentation for the JSON serialization. An example is linked in https://docs.spring.io/spring-session/docs/current/reference/html5/#samples