Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge remote branch 'colin/master' into grails

  • Loading branch information...
commit a53d9eb6d86b18bd33928b4af7954b68f9a3e217 2 parents 0042da3 + e506763
@burtbeckwith burtbeckwith authored
View
6 SpringSecurityCoreGrailsPlugin.groovy
@@ -786,10 +786,10 @@ class SpringSecurityCoreGrailsPlugin {
private configureAuthenticationProcessingFilter = { conf ->
- if (conf.useSessionFixation) {
+ if (conf.useSessionFixationPrevention) {
sessionAuthenticationStrategy(SessionFixationProtectionStrategy) {
- migrateSessionAttributes = conf.sessionFixation.migrate // true
- alwaysCreateSession = conf.sessionFixation.alwaysCreate // false
+ migrateSessionAttributes = conf.sessionFixationPrevention.migrate // true
+ alwaysCreateSession = conf.sessionFixationPrevention.alwaysCreate // false
}
}
else {
View
6 grails-app/conf/DefaultSecurityConfig.groovy
@@ -108,9 +108,9 @@ security {
authenticationDetails.authClass = WebAuthenticationDetails
// session fixation
- useSessionFixation = false
- sessionFixation.migrate = true
- sessionFixation.alwaysCreateSession = false
+ useSessionFixationPrevention = false
+ sessionFixationPrevention.migrate = true
+ sessionFixationPrevention.alwaysCreateSession = false
/** daoAuthenticationProvider **/
dao.reflectionSaltSourceProperty = null // if null, don't use salt source
View
8 src/docs/guide/10.4. Session Fixation.gdoc
@@ -1,7 +1,7 @@
-To guard against [session-fixation attacks|http://en.wikipedia.org/wiki/Session_fixation] set the @useSessionFixation@ attribute to @true@:
+To guard against [session-fixation attacks|http://en.wikipedia.org/wiki/Session_fixation] set the @useSessionFixationPrevention@ attribute to @true@:
{code}
-grails.plugins.springsecurity.useSessionFixation = true
+grails.plugins.springsecurity.useSessionFixationPrevention = true
{code}
When this is active, on successful authentication a new HTTP session will be created and the previous session's attributes will be copied into it. This way, if you were to start your session by clicking a link that was generated by someone trying to hack your account which contained an active session id, you would no longer be sharing the previous session after login - you'd have your own.
@@ -12,7 +12,7 @@ There are a couple of configuration options:
{table}
*Name* | *Default Value* |
-sessionFixation.migrate | @true@ | whether to copy the session attributes of the existing session to the new session after login
-sessionFixation.alwaysCreateSession | @false@ | whether to always create a session even if one didn't exist at the start of the request
+sessionFixationPrevention.migrate | @true@ | whether to copy the session attributes of the existing session to the new session after login
+sessionFixationPrevention.alwaysCreateSession | @false@ | whether to always create a session even if one didn't exist at the start of the request
{table}
View
6 src/docs/guide/6. Configuration.gdoc
@@ -144,9 +144,9 @@ More configuration details are [here|guide:10.4. Session Fixation]
{table}
*Property* | *Default Value* |
-useSessionFixation | @false@ | whether to use session fixation
-sessionFixation.migrate | @true@ | whether to copy the session attributes of the existing session to the new session after login
-sessionFixation.alwaysCreateSession | @false@ | whether to always create a session even if one didn't exist at the start of the request
+useSessionFixationPrevention | @false@ | whether to use session fixation
+sessionFixationPrevention.migrate | @true@ | whether to copy the session attributes of the existing session to the new session after login
+sessionFixationPrevention.alwaysCreateSession | @false@ | whether to always create a session even if one didn't exist at the start of the request
{table}
h4. Certificate (X509) login
Please sign in to comment.
Something went wrong with that request. Please try again.