Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The jfwid contains the session ID #5375

Closed
jasondlee opened this issue Dec 11, 2023 · 1 comment
Closed

The jfwid contains the session ID #5375

jasondlee opened this issue Dec 11, 2023 · 1 comment
Assignees
@jasondlee
Milestone
4.0.6

Comments

@jasondlee
Copy link
Contributor

The client window ID generated in ClientWindowImpl contains the session ID, which is not needed for this functionality, and exposure of the session ID can be used to compromise security. This method should be modified, then, so as not to use the session. PR incoming.
@jasondlee jasondlee self-assigned this Dec 11, 2023
@jasondlee jasondlee mentioned this issue Dec 11, 2023
Merged
@arjantijms
Copy link
Contributor

+1 indeed for not leaking the session ID anyway, and even more so when it's not needed.

@BalusC BalusC added this to the 4.0.6 milestone Feb 10, 2024
@BalusC BalusC mentioned this issue Feb 10, 2024
Closed
BalusC added a commit that referenced this issue Feb 18, 2024
@BalusC
Improved impl for #5375
7fe0ddf
@BalusC BalusC mentioned this issue Feb 18, 2024
Merged
arjantijms added a commit that referenced this issue Feb 20, 2024
@arjantijms
Merge pull request #5402 from eclipse-ee4j/mojarra_issue_5375_jfwid_m…
0c2052d 
…ay_not_leak_session_id

#5375: jfwid may not leak session id
@BalusC BalusC closed this as completed Mar 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jasondlee jasondlee

Labels
None yet
Projects
None yet
Milestone
4.0.6
Development

No branches or pull requests
3 participants
@BalusC @jasondlee @arjantijms