Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-767: Make session fixation protection check for committed response #1027

spring-issuemaster opened this Issue Apr 12, 2008 · 3 comments


None yet
1 participant

Luke Taylor(Migrated from SEC-767) said:

The changes introduced in SEC-689 may cause problems when a response has already been committed (for whatever reason) when going from an unauthenticated to an authenticated state. In this case it isn’t possible to create a new session. The session fixation protection filter should check the response state.

Luke Taylor said:

I’ve added a check in the session fixation filter to make sure the response hasn’t already been committed. If it has, it will log a warning when it would normally have created a new session.

Luke Taylor said:

See http://jira.springframework.org/browse/SEC-767. As the user suggests, adding support for flushBuffer in the response wrapper would be a better solution.

Luke Taylor said:

I’ve added flushBuffer to the methods that the reponse wrapper overrides. However, it’s still possible that the response will be committed due to the write buffer being filled without an explicit call to flushBuffer.

@spring-issuemaster spring-issuemaster added this to the 2.0.0 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment