PL-8242 Do not use User session fixation protection if connection is not authenticated

2024-12-04 20:28:00 +08:00 · 2016-11-22 15:31:41 +04:00 · 2016-11-22 15:31:41 +04:00 · a4fa2c0afc
commit a4fa2c0afc
parent 7fd3acff5e
1 changed files with 2 additions and 1 deletions
--- a/modules/web/src/com/haulmont/cuba/web/DefaultApp.java
+++ b/modules/web/src/com/haulmont/cuba/web/DefaultApp.java
@ -84,7 +84,8 @@ public class DefaultApp extends App implements ConnectionListener, UserSubstitut
            // substitution listeners are cleared by connection on logout
            connection.addSubstitutionListener(this);

-            if (webConfig.getUseSessionFixationProtection()) {
+            if (connection.isAuthenticated()
+                    && webConfig.getUseSessionFixationProtection()) {
                VaadinService.reinitializeSession(VaadinService.getCurrentRequest());

                WrappedSession session = VaadinSession.getCurrent().getSession();