External-Mirrors/keycloak
2
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-09 23:12:06 -03:30
Code Issues Packages Projects Releases Wiki Activity

Wrong auth session id being used when validating auth session id cookies (#16253) (#16415)

Browse Source 
Closes #16252
Closes #16132

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Stian Thorgersen 2023-01-12 14:09:51 +01:00 committed by GitHub
parent 6572a64a8b
commit 23207f81cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java
View File

@ -202,7 +202,7 @@ public class AuthenticationSessionManager {
public boolean test(String id) {
StickySessionEncoderProvider encoder = session.getProvider(StickySessionEncoderProvider.class);
// in case the id is encoded with a route when running in a cluster
String decodedId = encoder.decodeSessionId(cookiesVal.iterator().next());
String decodedId = encoder.decodeSessionId(id);
// we can't blindly trust the cookie and assume it is valid and referencing a valid root auth session
// but make sure the root authentication session actually exists
// without this check there is a risk of resolving user sessions from invalid root authentication sessions as they share the same id