framework icon indicating copy to clipboard operation
framework copied to clipboard
verified publisher icon lift

HttpServletRequest.changeSessionId leads to 404 on lift/page/xxx.js

Open fanf opened this issue 7 years ago • 1 comments

Mailing List thread: https://groups.google.com/forum/#!topic/liftweb/lcn6U6_Igxk

[Example project] https://github.com/fanf/demo-bug-lift-session

When the underlying session ID change without a clean invalidate/create cycle, for example with the HttpServletRequest.changeSessionId which seems to be the recommanded session fixation prevention method for servlet 3.1 (and so is used in authentication frameword like spring security), Lift session are destroyed after the data-lift-gc attribute is generated, and so lift page javascript at then end of the page fails because of 404 error.

fanf avatar Mar 28 '18 00:03 fanf

This bug also allowed to find #1946 (the idea was to make the login page stateless to avoid the fatal change id, which was in fine not possible)

fanf avatar Mar 28 '18 00:03 fanf