Skip to content

SEC-776: Http Session created for Anonymous request #1036

New issue
New issue
Closed
Closed
SEC-776: Http Session created for Anonymous request#1036
Labels
in: coreAn issue in spring-security-coretype: bugA general bugtype: jiraAn issue that was migrated from JIRA
Milestone
2.0.1
@spring-projects-issues

Description

@spring-projects-issues
spring-projects-issues
opened on Apr 15, 2008

Corey T(Migrated from SEC-776) said:

I’m using Anonymous Authentication for the public pages on a site I’m developing. If I go to a page that is successful an anonymous authentication token is made and the reset by the AnonymousProcessingFilter so that no HttpSession is created for that request. However, if the page I go to results in an error (like 404 or 500) an HttpSession is created with the anonymous authentication token saved within.

I think that it is because the HttpSessionContextIntegrationFilter wraps the response so that it can try and save the context on sendError/sendRedirect calls, however the AnonymousProcessingFilter isn’t given a chance to remove the anonymous authentication token, the result is that a session is created.

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: coreAn issue in spring-security-coretype: bugA general bugtype: jiraAn issue that was migrated from JIRA

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions