Enterprise Client Community

Hi,

when using CaptainCasa in the following way...

1. Session management by URL-rewriting (not by COOKIE)
2. Spring Security version 5.7

...then the access to e.g. "BufferedContent" is not working anymore. On server side you get a log message like:

Code:

 2022-12-21 15:47:18,431 INFO | Could not find any object in buffered content for bufferId: BUFFERED_1671634036281_89447575_394

The same is true for using "TemFileManager"-content.

Reason: we use the HttpServletResponse.encodeURL(...) method, which should by definition append ";jsessionid=...." to the URL. SPring does not do this anymore, or better: this must be explicitly switched on...:

Please check: https://docs.spring.io/spring-security/reference/5.7/servlet/appendix/namespace/http.html#nsa-http-attributes
And set the parameter "disable-url-rewriting" to "false".

Some further comments on this:

1. CaptainCasa can run with either URL-based session management or by COOKIE-based session management. It's up to you to decide.

2. When running in URL-bases session management then the "jsessionid" is rewritten into the URL. And this means it can be "hijacked". - But...: CaptainCasa always in parallel sends a cookie with a "check-id". So hijacking the jsessionid from the URL does not have any effect - the "check-id" of the cookie needs to be hijacked in addition, and this is part of the encrypted information (https), so no man-in-the-middle can catch.

More information on this is available in Developer's Guide, there is a chapter "Security considerations".

Kind regards! Björn

PS: and thanks to the one who not only found the problem but also knew the solution! ;-)