Expired session: use 403 Forbidden instead of 410 Gone (#11859) (#11964)

* Expired session: use 403 Forbidden instead of 410 Gone (#11859) Use 403 Forbidden instead of 410 Gone when session expired. Also prevent caching in more cases.
author: Anna Koskinen <Ansku@users.noreply.github.com> 2020-04-24 13:23:39 +0300
committer: GitHub <noreply@github.com> 2020-04-24 13:23:39 +0300
commit: 8782319d4f7acc41d115900bfe307d169258539d (patch)
tree: cf21ec1ccb49893497b30c463637654fae67d37a
parent: c4626ca95ff23fdafb5c315e1cd745229e5534a2 (diff)
download: vaadin-framework-8782319d4f7acc41d115900bfe307d169258539d.tar.gz
vaadin-framework-8782319d4f7acc41d115900bfe307d169258539d.zip
3 files changed, 16 insertions, 9 deletions
diff --git a/client/src/main/java/com/vaadin/client/communication/DefaultConnectionStateHandler.java b/client/src/main/java/com/vaadin/client/communication/DefaultConnectionStateHandler.java
index 27c7052d30..f0630592be 100644
--- a/client/src/main/java/com/vaadin/client/communication/DefaultConnectionStateHandler.java
+++ b/client/src/main/java/com/vaadin/client/communication/DefaultConnectionStateHandler.java
@@ -146,7 +146,7 @@ public class DefaultConnectionStateHandler implements ConnectionStateHandler {
         int statusCode = response.getStatusCode();
         getLogger().warning("Heartbeat request returned " + statusCode);
 
-        if (response.getStatusCode() == Response.SC_GONE) {
+        if (response.getStatusCode() == Response.SC_FORBIDDEN) {
             // Session expired
             getConnection().showSessionExpiredError(null);
             stopApplication();
diff --git a/server/src/main/java/com/vaadin/server/VaadinService.java b/server/src/main/java/com/vaadin/server/VaadinService.java
index 7db1a4fd55..4f01820868 100644
--- a/server/src/main/java/com/vaadin/server/VaadinService.java
+++ b/server/src/main/java/com/vaadin/server/VaadinService.java
@@ -1759,7 +1759,15 @@ public abstract class VaadinService implements Serializable {
                  * endless loop. This can at least happen if refreshing a
                  * resource when the session has expired.
                  */
-                response.sendError(HttpServletResponse.SC_GONE,
+
+                // Ensure that the browser does not cache expired responses.
+                // iOS 6 Safari requires this (#3226)
+                response.setHeader("Cache-Control", "no-cache");
+                // If Content-Type is not set, browsers assume text/html and may
+                // complain about the empty response body (#4167)
+                response.setHeader("Content-Type", "text/plain");
+
+                response.sendError(HttpServletResponse.SC_FORBIDDEN,
                         "Session expired");
             }
         } catch (IOException e) {
diff --git a/server/src/main/java/com/vaadin/server/communication/HeartbeatHandler.java b/server/src/main/java/com/vaadin/server/communication/HeartbeatHandler.java
index 07ab402514..8733c7b58c 100644
--- a/server/src/main/java/com/vaadin/server/communication/HeartbeatHandler.java
+++ b/server/src/main/java/com/vaadin/server/communication/HeartbeatHandler.java
@@ -62,10 +62,10 @@ public class HeartbeatHandler extends SynchronizedRequestHandler
         if (ui != null) {
             ui.setLastHeartbeatTimestamp(System.currentTimeMillis());
             // Ensure that the browser does not cache heartbeat responses.
-            // iOS 6 Safari requires this (#10370)
+            // iOS 6 Safari requires this (#3226)
             response.setHeader("Cache-Control", "no-cache");
             // If Content-Type is not set, browsers assume text/html and may
-            // complain about the empty response body (#12182)
+            // complain about the empty response body (#4167)
             response.setHeader("Content-Type", "text/plain");
         } else {
             response.sendError(HttpServletResponse.SC_NOT_FOUND,
@@ -88,15 +88,14 @@ public class HeartbeatHandler extends SynchronizedRequestHandler
         if (!ServletPortletHelper.isHeartbeatRequest(request)) {
             return false;
         }
-
-        // Ensure that the browser does not cache expired response.
-        // iOS 6 Safari requires this (#10370)
+        // Ensure that the browser does not cache expired heartbeat responses.
+        // iOS 6 Safari requires this (#3226)
         response.setHeader("Cache-Control", "no-cache");
         // If Content-Type is not set, browsers assume text/html and may
-        // complain about the empty response body (#12182)
+        // complain about the empty response body (#4167)
         response.setHeader("Content-Type", "text/plain");
 
-        response.sendError(HttpServletResponse.SC_NOT_FOUND, "Session expired");
+        response.sendError(HttpServletResponse.SC_FORBIDDEN, "Session expired");
         return true;
     }
 }
author	Anna Koskinen <Ansku@users.noreply.github.com>	2020-04-24 13:23:39 +0300
committer	GitHub <noreply@github.com>	2020-04-24 13:23:39 +0300
commit	8782319d4f7acc41d115900bfe307d169258539d (patch)
tree	cf21ec1ccb49893497b30c463637654fae67d37a
parent	c4626ca95ff23fdafb5c315e1cd745229e5534a2 (diff)
download	vaadin-framework-8782319d4f7acc41d115900bfe307d169258539d.tar.gz vaadin-framework-8782319d4f7acc41d115900bfe307d169258539d.zip