[FIXED SECURITY-75] Invalidate session after login to avoid session f…

…ixation
jenkinsci · Feb 11, 2014 · 8ac74c3 · 8ac74c3
1 parent 5d57c85
commit 8ac74c3
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java b/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java
@@ -85,6 +85,7 @@ protected void onSuccessfulAuthentication(HttpServletRequest request, HttpServle
         // HttpSessionContextIntegrationFilter stores the updated SecurityContext object into this session later
         // (either when a redirect is issued, via its HttpResponseWrapper, or when the execution returns to its
         // doFilter method.
+        request.getSession().invalidate();
         request.getSession();
     }