Uploaded image for project: 'Spring Data Redis'
  1. Spring Data Redis
  2. DATAREDIS-791

ReactiveHashCommands.hMSet calls HSETNX if map contains a single tuple

    Details

      Description

      In ReactiveHashCommands#hMSet, I believe the method should not execute an ifValueNotExists()? By removing that, it should be OK I believe.

      A method hMSetNX could be created too, if relevant.

      I came to this conclusion after checking in Spring Boot 2, Spring Security component was not logging out correctly when using Spring Data Redis as the backend for the session. The problem was basically it's using this method to remove the SPRING_SECURITY_CONTEXT information, but as it's doing an HSETNX internally, it's not really updating the session information (as that key already exists). So basically, a user is never really logged out, even though it seems like it is.

      If that's the case and I'm not mistaken, it's obviously an important security issue when using Redis as the session backend.

      I'd be happy to provide a PR on GitHub if you think I'm right about this.

        Attachments

          Activity

            People

            • Assignee:
              mp911de Mark Paluch
              Reporter:
              magd magd
              Last updater:
              Mark Paluch
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: