[FIXED SECURITY-75] Invalidate session after login to avoid session fixation

8ac74c35 · Vojtech Juranek · Jesse Glick · 5d57c855 · 8ac74c35
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java ...java/hudson/security/AuthenticationProcessingFilter2.java +1 -0

未找到文件。
--- a/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java
+++ b/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java
@@ -85,6 +85,7 @@ public class AuthenticationProcessingFilter2 extends AuthenticationProcessingFil
        // HttpSessionContextIntegrationFilter stores the updated SecurityContext object into this session later
        // (either when a redirect is issued, via its HttpResponseWrapper, or when the execution returns to its
        // doFilter method.
+        request.getSession().invalidate();
        request.getSession();
    }