Fix users getting stuck at a blank white page after logging in. #16

Merged
niat8586 merged 2 commits from session-tracking-firewall into develop 2024-11-13 08:01:18 +01:00
Owner

By default, Tomcat will use a cookie to track the session. However, if there is no cookie sent by the browser it will append the session id to the URL. The way it does this is by adding a ";jsessionid=..." to the end. This is not a problem in itself, but it can enable session hijacking if the URL is shared and ";" is a blocked character by the default Spring Security configuration (see StrictHttpFirewall).

So what happens is a user navigates to SciPro. No session cookie is sent since this is the first request. SciPro sees that the user is not authenticated and redirects the user to the login page. When SciPro checks for authentication it checks the session which will instruct Tomcat to create a session. Since Tomcat sees no cookie it will append the session id to the redirect URL to try and track the session. After the user has logged in they are redirected back to SciPro with the session id in the URL which is then blocked by Spring's StrictHttpFirewall.

To avoid this, we can set the tracking mode to only COOKIE.

An alternative solution is to tell Spring to allow ";" in the URL but there seems to be good reason as to why it is blocked, see the Javadoc linked below.

ab93541926/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java (L202)

How to test

  1. Open a new private browsing window (to make sure there are no cookies).
  2. Go to http://localhost:8080 (or wherever you have SciPro running) while on the develop branch
  3. See that you're stuck on a blank white page with a ";jsessionid=..." in the URL with a 401 response
  4. Remove the ";jsessionid=..." part and you'll be logged in to SciPro
  5. Switch to this branch and try and see that you'll be logged in immediately
By default, Tomcat will use a cookie to track the session. However, if there is no cookie sent by the browser it will append the session id to the URL. The way it does this is by adding a ";jsessionid=..." to the end. This is not a problem in itself, but it can enable session hijacking if the URL is shared and ";" is a blocked character by the default Spring Security configuration (see StrictHttpFirewall). So what happens is a user navigates to SciPro. No session cookie is sent since this is the first request. SciPro sees that the user is not authenticated and redirects the user to the login page. When SciPro checks for authentication it checks the session which will instruct Tomcat to create a session. Since Tomcat sees no cookie it will append the session id to the redirect URL to try and track the session. After the user has logged in they are redirected back to SciPro with the session id in the URL which is then blocked by Spring's StrictHttpFirewall. To avoid this, we can set the tracking mode to *only* COOKIE. An alternative solution is to tell Spring to allow ";" in the URL but there seems to be good reason as to why it is blocked, see the Javadoc linked below. https://github.com/spring-projects/spring-security/blob/ab93541926bef02f76231b78ba97ca0bed14c340/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java#L202 ## How to test 1. Open a new private browsing window (to make sure there are no cookies). 2. Go to http://localhost:8080 (or wherever you have SciPro running) while on the `develop` branch 3. See that you're stuck on a blank white page with a ";jsessionid=..." in the URL with a 401 response 4. Remove the ";jsessionid=..." part and you'll be logged in to SciPro 5. Switch to this branch and try and see that you'll be logged in immediately
ansv7779 added 1 commit 2024-11-08 11:03:54 +01:00
Fix users getting stuck at a blank white page after logging in.
All checks were successful
Build and test / build-and-test (push) Successful in 6m43s
55a7043837
By default, Tomcat will use a cookie to track the session. However, if there is no cookie sent by the browser it will append the session id to the URL. The way it does this is by adding a ";jsessionid=..." to the end. This is not a problem in itself, but it can enable session hijacking if the URL is shared and ";" is  a blocked character by the default Spring Security configuration (see StrictHttpFirewall).

So what happens is a user navigates to SciPro. No session cookie is sent since this is the first request. SciPro sees that the user is not authenticated and redirects the user to the login page. When SciPro checks for authentication it checks the session which will instruct Tomcat to create a session. Since Tomcat sees no cookie it will append the session id to the redirect URL to try and track the session. After the user has logged in it is redirected back to SciPro with the session id in the URL which is then blocked by Spring's StrictHttpFirewall.

To avoid this, we can set the tracking mode to *only* COOKIE.

An alternative solution is to tell Spring to allow ";" in the URL but there seems to be good reason as to why it is blocked, see the Javadoc linked below.

ab93541926/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java (L202)
ansv7779 added 1 commit 2024-11-12 13:41:50 +01:00
Merge remote-tracking branch 'gitea/develop' into session-tracking-firewall
All checks were successful
Build and test / build-and-test (push) Successful in 6m41s
724c4a8027
niat8586 approved these changes 2024-11-13 08:00:55 +01:00
Owner

👍

👍
niat8586 merged commit a9b8542576 into develop 2024-11-13 08:01:18 +01:00
niat8586 deleted branch session-tracking-firewall 2024-11-13 08:01:18 +01:00
Sign in to join this conversation.
No description provided.