Spring Security
  1. Spring Security
  2. SEC-767

Make session fixation protection check for committed response

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0.0 RC1
    • Fix Version/s: 2.0.0
    • Component/s: None
    • Labels:
      None

      Description

      The changes introduced in SEC-689 may cause problems when a response has already been committed (for whatever reason) when going from an unauthenticated to an authenticated state. In this case it isn't possible to create a new session. The session fixation protection filter should check the response state.

        Activity

        Hide
        Luke Taylor added a comment -

        I've added a check in the session fixation filter to make sure the response hasn't already been committed. If it has, it will log a warning when it would normally have created a new session.

        Show
        Luke Taylor added a comment - I've added a check in the session fixation filter to make sure the response hasn't already been committed. If it has, it will log a warning when it would normally have created a new session.
        Hide
        Luke Taylor added a comment -

        See http://jira.springframework.org/browse/SEC-767. As the user suggests, adding support for flushBuffer in the response wrapper would be a better solution.

        Show
        Luke Taylor added a comment - See http://jira.springframework.org/browse/SEC-767 . As the user suggests, adding support for flushBuffer in the response wrapper would be a better solution.
        Hide
        Luke Taylor added a comment -

        I've added flushBuffer to the methods that the reponse wrapper overrides. However, it's still possible that the response will be committed due to the write buffer being filled without an explicit call to flushBuffer.

        Show
        Luke Taylor added a comment - I've added flushBuffer to the methods that the reponse wrapper overrides. However, it's still possible that the response will be committed due to the write buffer being filled without an explicit call to flushBuffer.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Luke Taylor
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: