Describe the bug When spring performs a logout operation with HTTP Session using class SecurityContextLogoutHandler and invalidates the session (SecurityContextLogoutHandler.java#L73), then it tries to save and empty Security Context using HttpSessionSecurityContextRepository and SaveToSessionResponseWrapper (SecurityContextLogoutHandler.java#L85).

The problem is, the SaveToSessionResponseWrapper class tries to remove the Spring Security context from the session (HttpSessionSecurityContextRepository.java#L409) because it is saving an anonymous authentication context and I have a previous authenticated one, but the session is already invalidated by the logut handler and as a result I get an "Session is invalid" exception.

To Reproduce Do a logout operation using Http session.

Stacktrace

java.lang.IllegalStateException: HttpSession is invalid at weblogic.servlet.internal.session.SessionData.removeAttribute(SessionData.java:762) at weblogic.servlet.internal.session.SessionData.removeAttribute(SessionData.java:757) at org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.saveContext(HttpSessionSecurityContextRepository.java:409) at org.springframework.security.web.context.HttpSessionSecurityContextRepository.saveContext(HttpSessionSecurityContextRepository.java:156) at org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler.logout(SecurityContextLogoutHandler.java:85)

Expected behavior Do not remove any attributes from the session if it has already been invalidated previously.

Version 5.8.14

Comment From: marcusdacoregio

Hi @sestevecruz, thanks for the report.

After the session is invalidated, further calls to request.getSession(false) should return null (as mentioned in the API docs), therefore, it wouldn't try to clear the attribute because it checks if the session is null.

Can you provide a minimal, reproducible sample where I can verify the behavior that you are describing?

Comment From: sestevecruz

SecurityContextLogoutHandler

Hi @marcusdacoregio,

My apologies, after reviewing the documentation you mention, indeed, getting the session once invalidated should return null.

Investigating a little more, I have realized that this is due to a bug outside Spring in one of the wrappers of the request that uses the application I'm running.

I will proceed to close the issue, and again sorry for the inconvenience.