Issue Details (XML | Word | Printable)

Key: SEC-767
Type: Improvement Improvement
Status: Closed Closed
Resolution: Fixed
Priority: Minor Minor
Assignee: Luke Taylor
Reporter: Luke Taylor
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Spring Security

Make session fixation protection check for committed response

Created: 12/Apr/08 05:58 PM   Updated: 13/Apr/08 03:25 PM
Component/s: None
Affects Version/s: 2.0.0 RC1
Fix Version/s: 2.0.0

Time Tracking:
Not Specified


 Description  « Hide
The changes introduced in SEC-689 may cause problems when a response has already been committed (for whatever reason) when going from an unauthenticated to an authenticated state. In this case it isn't possible to create a new session. The session fixation protection filter should check the response state.

 All   Comments   Work Log   Change History   FishEye   Builds      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Luke Taylor added a comment - 12/Apr/08 07:27 PM
I've added a check in the session fixation filter to make sure the response hasn't already been committed. If it has, it will log a warning when it would normally have created a new session.

[ Permlink | « Hide ]
Luke Taylor added a comment - 13/Apr/08 03:17 PM
See http://jira.springframework.org/browse/SEC-767. As the user suggests, adding support for flushBuffer in the response wrapper would be a better solution.

[ Permlink | « Hide ]
Luke Taylor added a comment - 13/Apr/08 03:25 PM
I've added flushBuffer to the methods that the reponse wrapper overrides. However, it's still possible that the response will be committed due to the write buffer being filled without an explicit call to flushBuffer.


Powered by a free Atlassian JIRA open source license for Spring Framework. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.1-#333) - Bug/feature request - Atlassian news - Contact Administrators