Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 370385 - Implement support for CSRF prevention
Summary: Implement support for CSRF prevention
Status: RESOLVED FIXED
Alias: None
Product: Jetty
Classification: RT
Component: server (show other bugs)
Version: 7.6.0   Edit
Hardware: PC Linux
: P3 normal (vote)
Target Milestone: 7.5.x   Edit
Assignee: Jan Bartel CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-01 20:39 EST by Jan Bartel CLA
Modified: 2013-08-23 03:03 EDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Bartel CLA 2012-02-01 20:39:57 EST 
Implement ability to change session id on authentication.
Comment 1 Jan Bartel CLA 2012-02-06 01:54:23 EST 
This code is already in place in jetty, and has been for some time.

CSRF protection is in fact enabled by default. To turn it off, call SecurityHandler.setSessionRenewedOnAuthentication(false);

I will leave this issue open, as we are working on changing the mechanism in anticipation of Servlet Spec 3.1 incorporating formal support for CSRF. As part of the changes, we will replace the code that changes the session id by destroying and creating a new session and copying its data over, to code which merely replaces the sessionid on the existing session.
Comment 2 Jan Bartel CLA 2012-02-08 16:17:57 EST 
See new renewSessionId branch in git for work on new mechanism.
Comment 3 Jan Bartel CLA 2013-08-23 03:03:31 EDT 
Servlet 3.1 Request.changeSessionId() implemented some time ago in jetty-9.1 and impl changed to only change session id, not session object.

Jan