Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEC-2865: Session URL rewriting being disabled should only strip JSESSIONID #3087

Open
spring-projects-issues opened this issue Feb 23, 2015 · 3 comments
Open

SEC-2865: Session URL rewriting being disabled should only strip JSESSIONID #3087

spring-projects-issues opened this issue Feb 23, 2015 · 3 comments
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement type: jira An issue that was migrated from JIRA

Comments

@spring-projects-issues
Copy link

Rob Winch (Migrated from SEC-2865) said:

This is important so URL rewriting for something like Spring Session can take place

Things to consider:

  • Users may have customized the COOKIE name (i.e. it may be a path variable other than JSESSIONID)
  • Users may have path variables in their initial URL
@spring-projects-issues
Copy link
Author

Rob Winch said:

Moving to backlog due to the fact that this is a significant new feature and we are already in RC phase

@spring-projects-issues spring-projects-issues added in: web An issue in web modules (web, webmvc) Open type: enhancement A general enhancement type: jira An issue that was migrated from JIRA labels Feb 5, 2016
@spring-projects-issues spring-projects-issues added this to the 4.0 Backlog milestone Feb 5, 2016
@rwinch rwinch modified the milestone: 4.0 Backlog Aug 15, 2016
@OrangeDog
Copy link
Contributor

Just to clarify, it is known that by default .sessionManagement() disables ALL rewriting?
While technically correct, rather than "disallows HTTP sessions to be included in the URL", the documentation should be clear on this.

@jzheaux
Copy link
Contributor

jzheaux commented Apr 8, 2019

Good point, @OrangeDog. Would you like to submit a PR with some improved documentation around this?

@rwinch rwinch removed the Open label May 3, 2019
OrangeDog added a commit to OrangeDog/spring-security that referenced this issue Nov 13, 2019
@OrangeDog
Clarify behaviour of enableSessionUrlRewriting
d1f9e29 
See spring-projects#3087
@OrangeDog OrangeDog mentioned this issue Nov 13, 2019
Closed
jzheaux pushed a commit that referenced this issue Dec 9, 2021
@OrangeDog @jzheaux
Clarify behaviour of enableSessionUrlRewriting
5598688 
See #3087
jzheaux pushed a commit that referenced this issue Dec 9, 2021
@OrangeDog @jzheaux
Clarify behaviour of enableSessionUrlRewriting
c1b0e59 
See #3087
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement type: jira An issue that was migrated from JIRA
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rwinch @OrangeDog @jzheaux @spring-projects-issues