glassfish
  1. glassfish
  2. GLASSFISH-11624

delay session creation until after user-data-constraint is enforced on login page

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 9.0pe
    • Fix Version/s: future release
    • Component/s: security
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: Sun

      Description

      the Glassfish FormAuthenticator was enhanced to effectively enforce
      user-data-constraints on the login page.

      we should now take the additional steps of delaying any session creation by the
      FormAuthenticator until after the enforcement of any user-data-constraint on the
      login form.

      This will ensure that the session cookie will be acquired under https if the
      login page is secure; which will ensure that browsers will know that the cookie
      is not to be sent over an unprotected transport.

      This change has security merits but may cause pre-existing applications to
      break. As such, we may need to make it possible for an app to select or revert
      to the prior functionality.

        Activity

        Hide
        kumarjayanti added a comment -

        setting target milestone

        Show
        kumarjayanti added a comment - setting target milestone
        Hide
        kumarjayanti added a comment -

        move to V3.2 since we could not find time to fix this soon enough and it is risky now to fix this since its
        late in the cycle

        Show
        kumarjayanti added a comment - move to V3.2 since we could not find time to fix this soon enough and it is risky now to fix this since its late in the cycle
        Hide
        JeffTancill added a comment -

        Not relevant to 4.0 RI.

        Show
        JeffTancill added a comment - Not relevant to 4.0 RI.

          People

          • Assignee:
            JeffTancill
            Reporter:
            monzillo
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated: