Skip to content
  1. May 05, 2012
  2. May 04, 2012
    • Kohsuke Kawaguchi's avatar
    • Kohsuke Kawaguchi's avatar
      [FIXED JENKINS-12585] restrict where sessions are created. · 7a4858d6
      Kohsuke Kawaguchi authored
      If a resource with 'Set-Cookie' header is cached (either by intermediary
      like HTTP proxy and reverse proxy, or by the browser), it'll cause
      identity swap / session mix-up as discussed in this ticket.
      
      I suspect this was caused by HttpSessionContextIntegrationFilter2, which
      is the only code path that attempts to create a session when a request
      to a static resource is made.
      
      So I'm disabling the creation of session in
      HttpSessionContextIntegrationFilter2. This in turn requires that we
      have sessions already created when the authentication was successful and
      people need to login (or else the login will have no effect.)
      
      We already do so in layout.jelly, so any request that renders a Jenkins
      page would have a session, but I've also added it in
      AuthenticationProcessingFilter2, which ensures that a successful login
      does have a session.
      7a4858d6
  3. May 03, 2012
  4. Apr 30, 2012
  5. Apr 26, 2012
  6. Apr 25, 2012
  7. Apr 24, 2012
  8. Apr 23, 2012
  9. Apr 21, 2012
  10. Apr 19, 2012
  11. Apr 17, 2012
  12. Apr 15, 2012
  13. Apr 14, 2012
  14. Apr 12, 2012
  15. Apr 11, 2012
  16. Apr 09, 2012
  17. Apr 06, 2012
Loading