Fix users getting stuck at a blank white page after logging in. (#16)

By default, Tomcat will use a cookie to track the session. However, if there is no cookie sent by the browser it will append the session id to the URL. The way it does this is by adding a ";jsessionid=..." to the end. This is not a problem in itself, but it can enable session hijacking if the URL is shared and ";" is a blocked character by the default Spring Security configuration (see StrictHttpFirewall). So what happens is a user navigates to SciPro. No session cookie is sent since this is the first request. SciPro sees that the user is not authenticated and redirects the user to the login page. When SciPro checks for authentication it checks the session which will instruct Tomcat to create a session. Since Tomcat sees no cookie it will append the session id to the redirect URL to try and track the session. After the user has logged in they are redirected back to SciPro with the session id in the URL which is then blocked by Spring's StrictHttpFirewall. To avoid this, we can set the tracking mode to *only* COOKIE. An alternative solution is to tell Spring to allow ";" in the URL but there seems to be good reason as to why it is blocked, see the Javadoc linked below. ab93541926/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java (L202) ## How to test 1. Open a new private browsing window (to make sure there are no cookies). 2. Go to http://localhost:8080 (or wherever you have SciPro running) while on the `develop` branch 3. See that you're stuck on a blank white page with a ";jsessionid=..." in the URL with a 401 response 4. Remove the ";jsessionid=..." part and you'll be logged in to SciPro 5. Switch to this branch and try and see that you'll be logged in immediately Reviewed-on: #16 Reviewed-by: niat8586 <nico@dsv.su.se> Co-authored-by: Andreas Svanberg <andreass@dsv.su.se> Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
2024-11-13 08:01:17 +01:00 · 2024-11-13 08:01:17 +01:00 · a9b8542576
commit a9b8542576
parent cfe61a9ed8
1 changed files with 23 additions and 0 deletions
--- a/war/src/main/webapp/WEB-INF/web.xml
+++ b/war/src/main/webapp/WEB-INF/web.xml
@ -10,5 +10,28 @@

    <session-config>
        <session-timeout>480</session-timeout>
+
+        <!--
+            By default, Tomcat will use a cookie to track the session.
+            However, if there is no cookie sent by the browser it will append
+            the session id to the URL. The way it does this is by adding a
+            ";jsessionid=..." to the end. This is not a problem in itself, but
+            it can enable session hijacking if the URL is shared and ";" is
+            a blocked character by the default Spring Security configuration.
+            (see StrictHttpFirewall).
+
+            So what happens is a user navigates to SciPro. No session cookie is
+            sent since this is the first request. SciPro sees that the user is
+            not authenticated and redirects the user to the login page.
+            When SciPro checks for authentication it checks the session which
+            will instruct Tomcat to create a session. Since Tomcat sees no
+            cookie it will append the session id to the redirect URL to try and
+            track the session. After the user has logged in it is redirected
+            back to SciPro with the session id in the URL which is then blocked
+            by Spring's StrictHttpFirewall.
+
+            To avoid this, we can set the tracking mode to *only* COOKIE.
+        -->
+        <tracking-mode>COOKIE</tracking-mode>
    </session-config>
 </web-app>