Browse Source

further restrict sessionIdRecycling to non-client api requests.

Jason Rivard 4 years ago
parent
commit
c7def1329b

+ 3 - 1
server/src/main/java/password/pwm/http/filter/RequestInitializationFilter.java

@@ -302,7 +302,9 @@ public class RequestInitializationFilter implements Filter
     private void checkIfSessionRecycleNeeded( final PwmRequest pwmRequest )
     {
         if ( pwmRequest.getPwmSession().getSessionStateBean().isSessionIdRecycleNeeded()
-                && !pwmRequest.getURL().isResourceURL() )
+                && !pwmRequest.getURL().isResourceURL()
+                && !pwmRequest.getURL().isClientApiServlet()
+        )
         {
             if ( pwmRequest.getConfig().readBooleanAppProperty( AppProperty.HTTP_SESSION_RECYCLE_AT_AUTH ) )
             {