Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1052: Add option to prevent URL rewriting of jsessionid #1303

Closed
spring-projects-issues opened this issue Dec 8, 2008 · 3 comments
Closed
Labels
in: config An issue in spring-security-config in: core An issue in spring-security-core type: enhancement A general enhancement type: jira An issue that was migrated from JIRA
Milestone

Comments

@spring-projects-issues
Copy link

spring-projects-issues commented Dec 8, 2008

Luke Taylor(Migrated from SEC-1052) said:

This is often seen as a security risk:

http://www.owasp.org/index.php/Top_10_2007-A7

“Do not expose any session identifiers or any portion of valid credentials in URLs or logs (no session rewriting or storing the user’s password in log files)”

We should add an option in the namespace (and the HttpSessionSecurityContextRepository) to override URL encoding and prevent the id being written to the URL.

@spring-projects-issues
Copy link
Author

spring-projects-issues commented Dec 16, 2008

Luke Taylor said:

I’ve added the property disableUrlRewriting to HttpSessionSecurityContextRepository. Just need to add a corresponding one to the namespace.

@spring-projects-issues
Copy link
Author

spring-projects-issues commented Dec 16, 2008

Luke Taylor said:

I’ve added support for “disable-url-rewriting” to the namespace parser.

@spring-projects-issues
Copy link
Author

spring-projects-issues commented Feb 18, 2010

Chas Emerick said:

FYI, this should probably get added to the documentation here:

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/appendix-namespace.html#nsa-http-attributes

@spring-projects-issues spring-projects-issues added in: core An issue in spring-security-core Namespace type: jira An issue that was migrated from JIRA labels Feb 5, 2016
@spring-projects-issues spring-projects-issues added this to the 3.0.0 M1 milestone Feb 5, 2016
@rwinch rwinch added in: config An issue in spring-security-config type: enhancement A general enhancement labels May 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: config An issue in spring-security-config in: core An issue in spring-security-core type: enhancement A general enhancement type: jira An issue that was migrated from JIRA
Projects
None yet
Development

No branches or pull requests

2 participants