SEC-767: Make session fixation protection check for committed response #1027

Closed
spring-issuemaster opened this Issue Apr 12, 2008 · 3 comments

1 participant

@spring-issuemaster

Luke Taylor (Migrated from SEC-767) said:

The changes introduced in SEC-689 may cause problems when a response has already been committed (for whatever reason) when going from an unauthenticated to an authenticated state. In this case it isn’t possible to create a new session. The session fixation protection filter should check the response state.

@spring-issuemaster

Luke Taylor said:

I’ve added a check in the session fixation filter to make sure the response hasn’t already been committed. If it has, it will log a warning when it would normally have created a new session.

@spring-issuemaster

Luke Taylor said:

See http://jira.springframework.org/browse/SEC-767. As the user suggests, adding support for flushBuffer in the response wrapper would be a better solution.

@spring-issuemaster

Luke Taylor said:

I’ve added flushBuffer to the methods that the reponse wrapper overrides. However, it’s still possible that the response will be committed due to the write buffer being filled without an explicit call to flushBuffer.

@spring-issuemaster spring-issuemaster added this to the 2.0.0 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment