From 55c385e96e6594ec1ac3b5cd41ccd2df6048b696 Mon Sep 17 00:00:00 2001 From: James Moger <james.moger@gmail.com> Date: Tue, 15 Sep 2015 07:42:11 -0400 Subject: [PATCH] Merge pull request #915 from lucamilanesio/lucene-5.2.1 --- src/main/java/com/gitblit/wicket/pages/SessionPage.java | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/src/main/java/com/gitblit/wicket/pages/SessionPage.java b/src/main/java/com/gitblit/wicket/pages/SessionPage.java index 0dda949..af7f211 100644 --- a/src/main/java/com/gitblit/wicket/pages/SessionPage.java +++ b/src/main/java/com/gitblit/wicket/pages/SessionPage.java @@ -96,7 +96,12 @@ .getAttribute(Constants.AUTHENTICATION_TYPE); // issue 62: fix session fixation vulnerability - session.replaceSession(); + // but only if authentication was done in the container. + // It avoid double change of session, that some authentication method + // don't like + if (AuthenticationType.CONTAINER != authenticationType) { + session.replaceSession(); + } session.setUser(user); request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType); -- Gitblit v1.9.1