From 55a704383717ce31d338cf903f60db5e5b7bcda2 Mon Sep 17 00:00:00 2001 From: Andreas Svanberg Date: Fri, 8 Nov 2024 10:55:57 +0100 Subject: [PATCH] Fix users getting stuck at a blank white page after logging in. By default, Tomcat will use a cookie to track the session. However, if there is no cookie sent by the browser it will append the session id to the URL. The way it does this is by adding a ";jsessionid=..." to the end. This is not a problem in itself, but it can enable session hijacking if the URL is shared and ";" is a blocked character by the default Spring Security configuration (see StrictHttpFirewall). So what happens is a user navigates to SciPro. No session cookie is sent since this is the first request. SciPro sees that the user is not authenticated and redirects the user to the login page. When SciPro checks for authentication it checks the session which will instruct Tomcat to create a session. Since Tomcat sees no cookie it will append the session id to the redirect URL to try and track the session. After the user has logged in it is redirected back to SciPro with the session id in the URL which is then blocked by Spring's StrictHttpFirewall. To avoid this, we can set the tracking mode to *only* COOKIE. An alternative solution is to tell Spring to allow ";" in the URL but there seems to be good reason as to why it is blocked, see the Javadoc linked below. https://github.com/spring-projects/spring-security/blob/ab93541926bef02f76231b78ba97ca0bed14c340/web/src/main/java/org/springframework/security/web/firewall/StrictHttpFirewall.java#L202 --- war/src/main/webapp/WEB-INF/web.xml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/war/src/main/webapp/WEB-INF/web.xml b/war/src/main/webapp/WEB-INF/web.xml index b346f3b49c..9741e82487 100755 --- a/war/src/main/webapp/WEB-INF/web.xml +++ b/war/src/main/webapp/WEB-INF/web.xml @@ -10,5 +10,28 @@ 480 + + + COOKIE -- 2.39.5