Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HttpServletRequest.changeSessionId leads to 404 on lift/page/xxx.js #1947

Open
fanf opened this issue Mar 28, 2018 · 1 comment
Open

HttpServletRequest.changeSessionId leads to 404 on lift/page/xxx.js #1947

fanf opened this issue Mar 28, 2018 · 1 comment
Assignees
@Shadowfiend

Comments

@fanf
Copy link

fanf commented Mar 28, 2018

Mailing List thread: https://groups.google.com/forum/#!topic/liftweb/lcn6U6_Igxk

[Example project] https://github.com/fanf/demo-bug-lift-session

When the underlying session ID change without a clean invalidate/create cycle, for example with the HttpServletRequest.changeSessionId which seems to be the recommanded session fixation prevention method for servlet 3.1 (and so is used in authentication frameword like spring security), Lift session are destroyed after the data-lift-gc attribute is generated, and so lift page javascript at then end of the page fails because of 404 error.
@fanf
Copy link
Author

fanf commented Mar 28, 2018

This bug also allowed to find #1946 (the idea was to make the login page stateless to avoid the fatal change id, which was in fine not possible)

@Shadowfiend Shadowfiend self-assigned this Mar 28, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Shadowfiend Shadowfiend

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Shadowfiend @fanf