Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Spring session fixation&stale session issues #52

Merged
merged 2 commits into from
Jul 25, 2017
Merged

Fix Spring session fixation&stale session issues #52

merged 2 commits into from
Jul 25, 2017

Commits on Apr 12, 2017

  1. Fix Spring session fixation&stale session issues 

    Two problems solved:

- Fix session fixation vulnerability
- Fix stale Hazelcast session issue

Session fixation vulnerability occurred with Spring Security MVC
 as it used isRequestedSessionIdValid method on HttpServletRequest
 interface which was not implemented before this commit.

Stale Hazelcast session issue occurs when a request comes in with a
 valid JSESSIONID and a hazelcast.sessionId that corresponds to
 another Hazelcast session. In this case, we just used the existing
 session and used the incoming JSESSIONID to find the corresponding
 hazelcast.sessionId and Hazelcast session. Now we let the incoming
 hazelcast.sessionId to override the hazelcast.sessionId that
 corresponds to the request's JSESSIONID.

Fix #47
    emre committed Apr 12, 2017
    Configuration menu
    Copy the full SHA
    4806e09 View commit details
    Browse the repository at this point in the history

Commits on Apr 14, 2017

  1. Fix NPE

    emre committed Apr 14, 2017
    Configuration menu
    Copy the full SHA
    6304432 View commit details
    Browse the repository at this point in the history