Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-746

CDCServlet should only compute TokenRestriction if cookie hijacking prevention is configured

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • Snapshot9, Snapshot9.5, Snapshot9.5.1, Snapshot9.5.2_RC1, Snapshot9.5.2, 9.5.3_RC1
    • 9.5.5, 10.0.1, 10.1.0-Xpress
    • cdsso
    • Rank:
      1|hznaif:
    • Sprint 3

      Description

      CDCServlet.java:
      ================

      Method 'redirectWithAuthNResponse'

      TokenRestriction tokenRes =
      spValidator.validateAndGetRestriction(
      FSAuthnRequest.parseURLEncodedRequest(request),
      gotoURL);
      if (uniqueCookieEnabled)

      { resTokenID = sessionService.getRestrictedTokenId( token.getTokenID().toString(), tokenRes); }

      else

      { resTokenID = token.getTokenID().toString(); }

      Variable 'tokenRes' is only used within the block of the if clause

      Proposed fix:
      if (uniqueCookieEnabled) { TokenRestriction tokenRes = spValidator.validateAndGetRestriction( FSAuthnRequest.parseURLEncodedRequest(request), gotoURL); resTokenID = sessionService.getRestrictedTokenId( token.getTokenID().toString(), tokenRes); } else { resTokenID = token.getTokenID().toString(); }

        Attachments

          Activity

            People

            peter.major Peter Major [X] (Inactive)
            bthalmayr Bernhard Thalmayr
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: