https://bz.apache.org/bugzilla/show_bug.cgi?id=64104
Bug ID: 64104
Summary: Double login forced by change session id on
authentication mechanism
Product: Tomcat 8
Version: 8.5.50
Hardware: PC
Status: NEW
Severity: minor
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: goyocas...@gmail.com
Target Milestone: ----
Hi all.
We're maintaining an spring application served by an Apache Tomcat server which
login page has started to behave a little bit weird after upgrading from
version 8.5.43 to 8.5.50.
When we're making the login posting to j_security_check, the FormAuthenticator
is checking that changeSessionIdOnAuthentication is set on true and, so, it's
checking that the required session id hasn't changed.
The problem is that in the code it's considering that the id has changed even
if there's no previous sessionId registered as a note inside the internal
session. That's the code snippet:
if (session != null && getChangeSessionIdOnAuthentication()) {
// Does session id match?
String expectedSessionId = (String)
session.getNote(Constants.SESSION_ID_NOTE);
if (expectedSessionId == null ||
!expectedSessionId.equals(request.getRequestedSessionId())) {
session.expire();
session = null;
}
}
Looking at the code documentation, when documenting the
changeSessionIdOnAuthentication variable, the comments states that "Should the
session ID, if any, be changed upon a successful authentication to prevent a
session fixation attack?". IMHO, thats "if any" should means that the previous
condition should be expressed as: if (expectedSessionId != null &&
!expectedSessionId.equals(request.getRequestedSessionId()))
shouldn't it?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
