Skip to content
  1. May 06, 2012
  2. May 05, 2012
  3. May 04, 2012
    • Kohsuke Kawaguchi's avatar
    • Kohsuke Kawaguchi's avatar
      [FIXED JENKINS-12585] restrict where sessions are created. · 7a4858d6
      Kohsuke Kawaguchi authored
      If a resource with 'Set-Cookie' header is cached (either by intermediary
      like HTTP proxy and reverse proxy, or by the browser), it'll cause
      identity swap / session mix-up as discussed in this ticket.
      
      I suspect this was caused by HttpSessionContextIntegrationFilter2, which
      is the only code path that attempts to create a session when a request
      to a static resource is made.
      
      So I'm disabling the creation of session in
      HttpSessionContextIntegrationFilter2. This in turn requires that we
      have sessions already created when the authentication was successful and
      people need to login (or else the login will have no effect.)
      
      We already do so in layout.jelly, so any request that renders a Jenkins
      page would have a session, but I've also added it in
      AuthenticationProcessingFilter2, which ensures that a successful login
      does have a session.
      7a4858d6
  4. May 03, 2012
  5. May 01, 2012
  6. Apr 30, 2012
  7. Apr 28, 2012
  8. Apr 27, 2012
  9. Apr 26, 2012
Loading