пре 4 година · 88beefca9c
--- a/server/src/main/java/password/pwm/config/Configuration.java
+++ b/server/src/main/java/password/pwm/config/Configuration.java
@@ -448,6 +448,11 @@ public class Configuration
 
				         return configurationSuppliers.appPropertyOverrides.get().getOrDefault( property.getKey(), property.getDefaultValue() );
			
 
				     }
			
 
				 
			
 
				+    public boolean readBooleanAppProperty( final AppProperty property )
			
 
				+    {
			
 
				+        return Boolean.parseBoolean( readAppProperty( property ) );
			
 
				+    }
			
 
				+
			
 
				     private StoredValue readStoredValue( final PwmSetting setting )
			
 
				     {
			
 
				         if ( setting.getCategory().hasProfiles() )
			
--- a/server/src/main/java/password/pwm/http/filter/CookieManagementFilter.java
+++ b/server/src/main/java/password/pwm/http/filter/CookieManagementFilter.java
@@ -79,6 +79,12 @@ public class CookieManagementFilter implements Filter
 
				         markSessionForRecycle( ( HttpServletRequest ) servletRequest );
			
 
				     }
			
 
				 
			
 
				+    /**
			
 
				+     * Ensures that every session that modifies its samesite cookies also triggers a session ID
			
 
				+     * recycle, once per session.
			
 
				+     *
			
 
				+     * @param httpServletRequest The request to be marked
			
 
				+     */
			
 
				     private void markSessionForRecycle( final HttpServletRequest httpServletRequest )
			
 
				     {
			
 
				         if ( StringUtil.isEmpty( value ) )
			
--- a/server/src/main/java/password/pwm/http/filter/RequestInitializationFilter.java
+++ b/server/src/main/java/password/pwm/http/filter/RequestInitializationFilter.java
@@ -301,10 +301,15 @@ public class RequestInitializationFilter implements Filter
 
				 
			
 
				     private void checkIfSessionRecycleNeeded( final PwmRequest pwmRequest )
			
 
				     {
			
 
				-        if ( pwmRequest.getPwmSession().getSessionStateBean().isSessionIdRecycleNeeded() )
			
 
				+        if ( pwmRequest.getPwmSession().getSessionStateBean().isSessionIdRecycleNeeded()
			
 
				+                && !pwmRequest.getURL().isResourceURL() )
			
 
				         {
			
 
				-            pwmRequest.getHttpServletRequest().changeSessionId();
			
 
				-            pwmRequest.getPwmSession().getSessionStateBean().setSessionIdRecycleNeeded( false );
			
 
				+            if ( pwmRequest.getConfig().readBooleanAppProperty( AppProperty.HTTP_SESSION_RECYCLE_AT_AUTH ) )
			
 
				+            {
			
 
				+                pwmRequest.getHttpServletRequest().changeSessionId();
			
 
				+                pwmRequest.getPwmSession().getSessionStateBean().setSessionIdRecycleNeeded( false );
			
 
				+                LOGGER.trace( pwmRequest, () -> "changeSessionId() requested from servlet container" );
			
 
				+            }
			
 
				         }
			
 
				     }