Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ISPN-10224 Fix session fixation protection #6960

Closed
wants to merge 1 commit into from
Closed

ISPN-10224 Fix session fixation protection #6960

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
10 changes: 9 additions & 1 deletion ...c/main/java/org/infinispan/spring/common/session/AbstractInfinispanSessionRepository.java
View file
Open in desktop
Expand Up @@ -12,6 +12,7 @@
import org.infinispan.spring.common.provider.SpringCache;
import org.springframework.beans.factory.DisposableBean;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.cache.Cache.ValueWrapper;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.session.FindByIndexNameSessionRepository;
Expand Down Expand Up @@ -65,6 +66,9 @@ public MapSession createSession() {

@Override
public void save(MapSession session) {
if (!session.getId().equals(session.getOriginalId())) {
deleteById(session.getOriginalId());
}
cache.put(session.getId(), session, session.getMaxInactiveInterval().getSeconds(), TimeUnit.SECONDS);
}

Expand All @@ -75,7 +79,11 @@ public MapSession findById(String sessionId) {

@Override
public void deleteById(String sessionId) {
MapSession mapSession = (MapSession) cache.get(sessionId).get();
ValueWrapper valueWrapper = cache.get(sessionId);
if (valueWrapper == null) {
return;
}
MapSession mapSession = (MapSession) valueWrapper.get();
if (mapSession != null) {
applicationEventPublisher.emitSessionDeletedEvent(mapSession);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure we need to send a session deleted event when the id has changed. I need to double check this behavior with spring session people.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Grabbing a look to other code I know that we should not call deleteById but remove the entry from the repository using Infinispan remove and skip notifications. I will add a commit with the correction soon

cache.evict(sessionId);
Expand Down
23 changes: 23 additions & 0 deletions ...on/src/test/java/org/infinispan/spring/common/session/InfinispanSessionRepositoryTCK.java
View file
Open in desktop
Expand Up @@ -132,6 +132,29 @@ public void testExtractingPrincipal() throws Exception {
assertTrue(numberOfNonExistingUsers == 0);
}

@Test
public void testChangeSessionId() throws Exception {
//given
MapSession session = sessionRepository.createSession();

//when
String originalId = session.getId();
sessionRepository.save(session);
session.changeSessionId();
String newId = session.getId();
sessionRepository.save(session);

//then
assertNotNull(sessionRepository.findById(newId));
assertNull(sessionRepository.findById(originalId));

// Save again to test that the deletion doesn't fail when the session isn't in the repo
sessionRepository.save(session );

assertNotNull(sessionRepository.findById(newId));
assertNull(sessionRepository.findById(originalId));
}

protected void addEmptySessionWithPrincipal(AbstractInfinispanSessionRepository sessionRepository, String principalName) {
MapSession session = sessionRepository.createSession();
session.setAttribute(PRINCIPAL_NAME_INDEX_NAME, principalName);
Expand Down