New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spring session does not redirect back to original request #1577
Comments
Thank you for the report @naspredam. This behaviour occurs because the redirect URI is saved in the session, while the In the SAML flow, the identity provider sends a In older versions, the session cookie was included in that request because the In the latest versions, the session cookie is not included in that request because the You can read more about the A possible workaround is to set the For example:
Note that this workaround is not ideal, since it allows the session cookie to be included in any request to your application. This can make your application vulnerable to CSRF attacks. |
Thanks @eleftherias for the workaround. But just wondering, if this is not recommendable due to CSRF vulnerabilities, what is the recommended in case I have configured SAML with spring-session and I would like to track a redirectBack? |
As per no reply, I am closing this issue. No solution just a workaround, which has security implications. |
We are using spring-session, in order to store the session on the database (jdbc). The version we were using is:
We have front end and backend decoupled, so, on the login endpoint we send a query param with the redirectBack on the front end, and this was working on this version. What it doing is (we are using SAML 2.0):
When we upgrade do spring boot
2.2.4-RELEASE
we removed the version to have the latest version2.2.0-RELEASE
(2.0.10.RELEASE
does not work on this spring-boot version), and when we login (we are using SAML2.0) it always redirect back to/
...We saw that not only on
2.2.0-RELEASE
of the spring-session was happening this issue, any version after2.0.x-RELEASE
.Just as a note, we are using the spring-saml-dsl, and we tried to use some standard solution to redirect back to the original request, but this kind of interfers with spring saml dsl.
The text was updated successfully, but these errors were encountered: