Fix users getting stuck at a blank white page after logging in. #16

ansv7779 · 2024-11-08T11:03:53+01:00

ansv7779 commented

2024-11-08 11:03:53 +01:00

By default, Tomcat will use a cookie to track the session. However, if there is no cookie sent by the browser it will append the session id to the URL. The way it does this is by adding a ";jsessionid=..." to the end. This is not a problem in itself, but it can enable session hijacking if the URL is shared and ";" is a blocked character by the default Spring Security configuration (see StrictHttpFirewall).

So what happens is a user navigates to SciPro. No session cookie is sent since this is the first request. SciPro sees that the user is not authenticated and redirects the user to the login page. When SciPro checks for authentication it checks the session which will instruct Tomcat to create a session. Since Tomcat sees no cookie it will append the session id to the redirect URL to try and track the session. After the user has logged in they are redirected back to SciPro with the session id in the URL which is then blocked by Spring's StrictHttpFirewall.

To avoid this, we can set the tracking mode to only COOKIE.

An alternative solution is to tell Spring to allow ";" in the URL but there seems to be good reason as to why it is blocked, see the Javadoc linked below.

ab93541926/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java (L202)

How to test

Open a new private browsing window (to make sure there are no cookies).
Go to http://localhost:8080 (or wherever you have SciPro running) while on the develop branch
See that you're stuck on a blank white page with a ";jsessionid=..." in the URL with a 401 response
Remove the ";jsessionid=..." part and you'll be logged in to SciPro
Switch to this branch and try and see that you'll be logged in immediately

By default, Tomcat will use a cookie to track the session. However, if there is no cookie sent by the browser it will append the session id to the URL. The way it does this is by adding a ";jsessionid=..." to the end. This is not a problem in itself, but it can enable session hijacking if the URL is shared and ";" is a blocked character by the default Spring Security configuration (see StrictHttpFirewall). So what happens is a user navigates to SciPro. No session cookie is sent since this is the first request. SciPro sees that the user is not authenticated and redirects the user to the login page. When SciPro checks for authentication it checks the session which will instruct Tomcat to create a session. Since Tomcat sees no cookie it will append the session id to the redirect URL to try and track the session. After the user has logged in they are redirected back to SciPro with the session id in the URL which is then blocked by Spring's StrictHttpFirewall. To avoid this, we can set the tracking mode to *only* COOKIE. An alternative solution is to tell Spring to allow ";" in the URL but there seems to be good reason as to why it is blocked, see the Javadoc linked below. https://github.com/spring-projects/spring-security/blob/ab93541926bef02f76231b78ba97ca0bed14c340/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java#L202 ## How to test 1. Open a new private browsing window (to make sure there are no cookies). 2. Go to http://localhost:8080 (or wherever you have SciPro running) while on the `develop` branch 3. See that you're stuck on a blank white page with a ";jsessionid=..." in the URL with a 401 response 4. Remove the ";jsessionid=..." part and you'll be logged in to SciPro 5. Switch to this branch and try and see that you'll be logged in immediately

ansv7779 added 1 commit 2024-11-08 11:03:54 +01:00

Fix users getting stuck at a blank white page after logging in.

Build and test / build-and-test (push) Successful in 6m43s

Details

55a7043837

By default, Tomcat will use a cookie to track the session. However, if there is no cookie sent by the browser it will append the session id to the URL. The way it does this is by adding a ";jsessionid=..." to the end. This is not a problem in itself, but it can enable session hijacking if the URL is shared and ";" is  a blocked character by the default Spring Security configuration (see StrictHttpFirewall).

So what happens is a user navigates to SciPro. No session cookie is sent since this is the first request. SciPro sees that the user is not authenticated and redirects the user to the login page. When SciPro checks for authentication it checks the session which will instruct Tomcat to create a session. Since Tomcat sees no cookie it will append the session id to the redirect URL to try and track the session. After the user has logged in it is redirected back to SciPro with the session id in the URL which is then blocked by Spring's StrictHttpFirewall.

To avoid this, we can set the tracking mode to *only* COOKIE.

An alternative solution is to tell Spring to allow ";" in the URL but there seems to be good reason as to why it is blocked, see the Javadoc linked below.

ab93541926/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java (L202)

ansv7779 added 1 commit 2024-11-12 13:41:50 +01:00

Merge remote-tracking branch 'gitea/develop' into session-tracking-firewall

Build and test / build-and-test (push) Successful in 6m41s

Details

724c4a8027

niat8586 approved these changes 2024-11-13 08:00:55 +01:00

niat8586 commented

2024-11-13 08:01:11 +01:00

👍

niat8586 merged commit a9b8542576 into develop

2024-11-13 08:01:18 +01:00

niat8586 deleted branch session-tracking-firewall