Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Spring session fixation&stale session issues #52

Merged
merged 2 commits into from
Jul 25, 2017
Merged

Fix Spring session fixation&stale session issues #52

merged 2 commits into from
Jul 25, 2017

Conversation

emre-aydin
Copy link
Contributor

Two problems solved:

  • Fix session fixation vulnerability
  • Fix stale Hazelcast session issue

Session fixation vulnerability occurred with Spring Security MVC
as it used isRequestedSessionIdValid method on HttpServletRequest
interface which was not implemented before this commit.

Stale Hazelcast session issue occurs when a request comes in with a
valid JSESSIONID and a hazelcast.sessionId that corresponds to
another Hazelcast session. In this case, we just used the existing
session and used the incoming JSESSIONID to find the corresponding
hazelcast.sessionId and Hazelcast session. Now we let the incoming
hazelcast.sessionId to override the hazelcast.sessionId that
corresponds to the request's JSESSIONID.

Fix #47

Fix Spring session fixation&stale session issues
4806e09 
Two problems solved:

- Fix session fixation vulnerability
- Fix stale Hazelcast session issue

Session fixation vulnerability occurred with Spring Security MVC
 as it used isRequestedSessionIdValid method on HttpServletRequest
 interface which was not implemented before this commit.

Stale Hazelcast session issue occurs when a request comes in with a
 valid JSESSIONID and a hazelcast.sessionId that corresponds to
 another Hazelcast session. In this case, we just used the existing
 session and used the incoming JSESSIONID to find the corresponding
 hazelcast.sessionId and Hazelcast session. Now we let the incoming
 hazelcast.sessionId to override the hazelcast.sessionId that
 corresponds to the request's JSESSIONID.

Fix #47
@emre-aydin emre-aydin added the bug label Apr 12, 2017
@emre-aydin emre-aydin added this to the 3.8.1 milestone Apr 12, 2017
@emre-aydin emre-aydin self-assigned this Apr 12, 2017
@devOpsHazelcast
Copy link
Contributor

Test PASSed.

@devOpsHazelcast
Copy link
Contributor

Test PASSed.

@emre-aydin emre-aydin changed the title Fix Spring session fixation&stale session issues [DO NOT MERGE] Fix Spring session fixation&stale session issues Apr 18, 2017
@emre-aydin emre-aydin modified the milestones: 3.8.1, 3.8.2 Jul 10, 2017
@emre-aydin emre-aydin changed the title [DO NOT MERGE] Fix Spring session fixation&stale session issues Fix Spring session fixation&stale session issues Jul 21, 2017
@emre-aydin emre-aydin merged commit 73d7e7e into hazelcast:master Jul 25, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mesutcelik mesutcelik mesutcelik approved these changes

@hasancelik hasancelik hasancelik approved these changes

Assignees

@emre-aydin emre-aydin

Labels
bug
Projects
None yet
Milestone
3.8.2
Development

Successfully merging this pull request may close these issues.

Session issues with Spring
4 participants
@emre-aydin @devOpsHazelcast @mesutcelik @hasancelik