From b97e93a486946fa6edf193676d8ba6b3fbb483d2 Mon Sep 17 00:00:00 2001
From: Craig Andrews <candrews@integralblue.com>
Date: Fri, 16 Apr 2021 11:59:01 -0400
Subject: [PATCH] Add guard around logger.debug statement

The log message involves string concatenation, the cost of which
should only be incurred if debug logging is enabled

Issue gh-9648
---
 .../web/session/SimpleRedirectInvalidSessionStrategy.java     | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/web/src/main/java/org/springframework/security/web/session/SimpleRedirectInvalidSessionStrategy.java b/web/src/main/java/org/springframework/security/web/session/SimpleRedirectInvalidSessionStrategy.java
index 6fd0f7b3cb..35db022e9e 100644
--- a/web/src/main/java/org/springframework/security/web/session/SimpleRedirectInvalidSessionStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/session/SimpleRedirectInvalidSessionStrategy.java
@@ -52,7 +52,9 @@ public final class SimpleRedirectInvalidSessionStrategy implements InvalidSessio
 
 	@Override
 	public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) throws IOException {
-		this.logger.debug("Starting new session (if required) and redirecting to '" + this.destinationUrl + "'");
+		if (this.logger.isDebugEnabled()) {
+			this.logger.debug("Starting new session (if required) and redirecting to '" + this.destinationUrl + "'");
+		}
 		if (this.createNewSession) {
 			request.getSession();
 		}