From a4fa2c0afc75eccbea161945d333a1ecb1ce0342 Mon Sep 17 00:00:00 2001
From: Yuriy Artamonov <artamonov@haulmont.com>
Date: Tue, 22 Nov 2016 15:31:41 +0400
Subject: [PATCH] PL-8242 Do not use User session fixation protection if
 connection is not authenticated

---
 modules/web/src/com/haulmont/cuba/web/DefaultApp.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/web/src/com/haulmont/cuba/web/DefaultApp.java b/modules/web/src/com/haulmont/cuba/web/DefaultApp.java
index b245342d48..c49c65bfd8 100644
--- a/modules/web/src/com/haulmont/cuba/web/DefaultApp.java
+++ b/modules/web/src/com/haulmont/cuba/web/DefaultApp.java
@@ -84,7 +84,8 @@ public class DefaultApp extends App implements ConnectionListener, UserSubstitut
             // substitution listeners are cleared by connection on logout
             connection.addSubstitutionListener(this);
 
-            if (webConfig.getUseSessionFixationProtection()) {
+            if (connection.isAuthenticated()
+                    && webConfig.getUseSessionFixationProtection()) {
                 VaadinService.reinitializeSession(VaadinService.getCurrentRequest());
 
                 WrappedSession session = VaadinSession.getCurrent().getSession();