Merge pull request #262 from fbacchella/keepsession

Do not replace session when authentication type is CONTAINER
author: James Moger <james.moger@gmail.com> 2015-05-24 10:16:45 -0400
committer: James Moger <james.moger@gmail.com> 2015-05-24 10:16:45 -0400
commit: 79922557bf5a716fcb758e2437b36714e51368e5 (patch)
tree: 20ddebf0f00c10a276a99c1c36bbc75c7ba67673 /src
parent: 5cc0a69a7be2af8bb11ccee3e3ea2624904c4fa0 (diff)
parent: 14d630b8682c425880511a2c5ddf520198f55205 (diff)
download: gitblit-79922557bf5a716fcb758e2437b36714e51368e5.tar.gz
gitblit-79922557bf5a716fcb758e2437b36714e51368e5.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/src/main/java/com/gitblit/wicket/pages/SessionPage.java b/src/main/java/com/gitblit/wicket/pages/SessionPage.java
index 0dda9495..af7f2115 100644
--- a/src/main/java/com/gitblit/wicket/pages/SessionPage.java
+++ b/src/main/java/com/gitblit/wicket/pages/SessionPage.java
@@ -96,7 +96,12 @@ public abstract class SessionPage extends WebPage {
 					.getAttribute(Constants.AUTHENTICATION_TYPE);
 
 			// issue 62: fix session fixation vulnerability
-			session.replaceSession();
+			// but only if authentication was done in the container.
+			// It avoid double change of session, that some authentication method
+			// don't like
+			if (AuthenticationType.CONTAINER != authenticationType) {
+				session.replaceSession();
+			}			
 			session.setUser(user);
 
 			request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType);
author	James Moger <james.moger@gmail.com>	2015-05-24 10:16:45 -0400
committer	James Moger <james.moger@gmail.com>	2015-05-24 10:16:45 -0400
commit	79922557bf5a716fcb758e2437b36714e51368e5 (patch)
tree	20ddebf0f00c10a276a99c1c36bbc75c7ba67673 /src
parent	5cc0a69a7be2af8bb11ccee3e3ea2624904c4fa0 (diff)
parent	14d630b8682c425880511a2c5ddf520198f55205 (diff)
download	gitblit-79922557bf5a716fcb758e2437b36714e51368e5.tar.gz gitblit-79922557bf5a716fcb758e2437b36714e51368e5.zip