diff options
| author | Fabrice Bacchella <fbacchella@spamcop.net> | 2015-05-23 14:16:03 +0200 |
|---|---|---|
| committer | Fabrice Bacchella <fbacchella@spamcop.net> | 2015-05-23 21:59:28 +0200 |
| commit | 14d630b8682c425880511a2c5ddf520198f55205 (patch) | |
| tree | 20ddebf0f00c10a276a99c1c36bbc75c7ba67673 /src/main/java | |
| parent | 5cc0a69a7be2af8bb11ccee3e3ea2624904c4fa0 (diff) | |
| download | gitblit-14d630b8682c425880511a2c5ddf520198f55205.tar.gz gitblit-14d630b8682c425880511a2c5ddf520198f55205.zip | |
Create web.rewriteSession key for use with tomcat and CAS
Diffstat (limited to 'src/main/java')
| -rw-r--r-- | src/main/java/com/gitblit/wicket/pages/SessionPage.java | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/main/java/com/gitblit/wicket/pages/SessionPage.java b/src/main/java/com/gitblit/wicket/pages/SessionPage.java index 0dda9495..af7f2115 100644 --- a/src/main/java/com/gitblit/wicket/pages/SessionPage.java +++ b/src/main/java/com/gitblit/wicket/pages/SessionPage.java @@ -96,7 +96,12 @@ public abstract class SessionPage extends WebPage { .getAttribute(Constants.AUTHENTICATION_TYPE); // issue 62: fix session fixation vulnerability - session.replaceSession(); + // but only if authentication was done in the container. + // It avoid double change of session, that some authentication method + // don't like + if (AuthenticationType.CONTAINER != authenticationType) { + session.replaceSession(); + } session.setUser(user); request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType); |