Uploaded image for project: 'Spring Data Redis'
  1. Spring Data Redis
  2. DATAREDIS-791

ReactiveHashCommands.hMSet calls HSETNX if map contains a single tuple

    XMLWordPrintable

    Details

      Description

      In ReactiveHashCommands#hMSet, I believe the method should not execute an ifValueNotExists()? By removing that, it should be OK I believe.

      A method hMSetNX could be created too, if relevant.

      I came to this conclusion after checking in Spring Boot 2, Spring Security component was not logging out correctly when using Spring Data Redis as the backend for the session. The problem was basically it's using this method to remove the SPRING_SECURITY_CONTEXT information, but as it's doing an HSETNX internally, it's not really updating the session information (as that key already exists). So basically, a user is never really logged out, even though it seems like it is.

      If that's the case and I'm not mistaken, it's obviously an important security issue when using Redis as the session backend.

      I'd be happy to provide a PR on GitHub if you think I'm right about this.

        Attachments

          Activity

            People

            Assignee:
            mp911de Mark Paluch
            Reporter:
            magd magd
            Last updater:
            Mark Paluch
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: