From 941177f9d2261533be3de98b6b08007594a06120 Mon Sep 17 00:00:00 2001 From: lprimak Date: Fri, 27 Feb 2026 22:36:11 -0600 Subject: [PATCH 1/4] bugfix: Ignore any cookies that start with session ID, not just session ID cookies themselves. This prevents spurious session ID version cookies from getting in --- .../java/org/apache/shiro/ee/filters/FormResubmitSupport.java | 2 +- .../org/apache/shiro/ee/filters/FormResubmitSupportCookies.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java index 3835e13b66..76485cdf83 100644 --- a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java +++ b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java @@ -520,7 +520,7 @@ private static HttpClient buildHttpClient(URI savedRequest, ServletContext servl cookieManager.getCookieStore().add(savedRequest, sessionCookie); log.debug("Setting Cookie {}", sessionCookieName); for (Cookie origCookie : originalRequest.getCookies()) { - if (!origCookie.getName().equals(sessionCookieName)) { + if (!origCookie.getName().startsWith(sessionCookieName)) { try { log.debug("Setting Cookie {}", origCookie.getName()); HttpCookie cookie = new HttpCookie(origCookie.getName(), origCookie.getValue()); diff --git a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupportCookies.java b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupportCookies.java index 465ddde945..ac3fa41ecc 100644 --- a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupportCookies.java +++ b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupportCookies.java @@ -89,7 +89,7 @@ static String getSessionCookieName(ServletContext context, org.apache.shiro.mgt. static Map transformCookieHeader(@NonNull List cookies) { return cookieStreamFromHeader(cookies) - .collect(Collectors.toMap(HttpCookie::getName, HttpCookie::getValue)); + .collect(Collectors.toMap(HttpCookie::getName, HttpCookie::getValue, (var, v2) -> v2)); } static Stream cookieStreamFromHeader(@NonNull List cookies) { From fbd38c4e9e44fe1322560ea7a70517591f49fbe9 Mon Sep 17 00:00:00 2001 From: lprimak Date: Sat, 28 Feb 2026 01:49:30 -0600 Subject: [PATCH 2/4] bugfix: skip remember me cookie as well during resubmit --- .../java/org/apache/shiro/ee/filters/FormResubmitSupport.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java index 76485cdf83..8a7fe44a53 100644 --- a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java +++ b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java @@ -50,6 +50,7 @@ import java.util.Optional; import java.util.UUID; import static java.util.function.Predicate.not; +import static org.apache.shiro.web.mgt.CookieRememberMeManager.DEFAULT_REMEMBER_ME_COOKIE_NAME; import java.util.regex.Pattern; import java.util.stream.Collectors; import static javax.faces.application.StateManager.STATE_SAVING_METHOD_CLIENT; @@ -520,7 +521,8 @@ private static HttpClient buildHttpClient(URI savedRequest, ServletContext servl cookieManager.getCookieStore().add(savedRequest, sessionCookie); log.debug("Setting Cookie {}", sessionCookieName); for (Cookie origCookie : originalRequest.getCookies()) { - if (!origCookie.getName().startsWith(sessionCookieName)) { + if (!origCookie.getName().startsWith(sessionCookieName) + && !origCookie.getName().equals(DEFAULT_REMEMBER_ME_COOKIE_NAME)) { try { log.debug("Setting Cookie {}", origCookie.getName()); HttpCookie cookie = new HttpCookie(origCookie.getName(), origCookie.getValue()); From 4290b24e6c0ea82da8e2f291800e0d98b3fec02c Mon Sep 17 00:00:00 2001 From: lprimak Date: Sun, 1 Mar 2026 15:22:15 -0600 Subject: [PATCH 3/4] enh: better error handling of relogin issues with stateless forms and remembered principals --- .../java/org/apache/shiro/ee/filters/FormResubmitSupport.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java index 8a7fe44a53..a3e7f261aa 100644 --- a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java +++ b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java @@ -406,8 +406,7 @@ static String resubmitSavedForm(@NonNull String savedFormData, @NonNull String s deleteCookie(originalResponse, servletContext, SHIRO_FORM_DATA_KEY); return processResubmitResponse(response, originalRequest, originalResponse, response.headers(), savedRequest, servletContext, - (rememberedAjaxResubmit && decodedFormData.isStatelessRequest) ? false - : decodedFormData.isPartialAjaxRequest, rememberedAjaxResubmit); + decodedFormData.isPartialAjaxRequest, rememberedAjaxResubmit); } } From 4b037a9f2ce36d241d5aebf37b0778bba25520b6 Mon Sep 17 00:00:00 2001 From: lprimak Date: Sun, 1 Mar 2026 16:00:24 -0600 Subject: [PATCH 4/4] fix: make sure ajax redirects are only made for redirect response code --- .../java/org/apache/shiro/ee/filters/FormResubmitSupport.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java index a3e7f261aa..f2c3cdec7c 100644 --- a/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java +++ b/support/jakarta-ee/src/main/java/org/apache/shiro/ee/filters/FormResubmitSupport.java @@ -486,7 +486,7 @@ private static String processResubmitResponse(HttpResponse response, .startsWith(getSessionCookieName(servletContext, getSecurityManager())))) .forEach(entry -> addCookie(originalResponse, servletContext, entry.getKey(), entry.getValue(), -1)); - if (isPartialAjaxRequest) { + if (response.statusCode() == FOUND && isPartialAjaxRequest) { originalResponse.setHeader(CONTENT_TYPE, TEXT_XML); originalResponse.setCharacterEncoding(StandardCharsets.UTF_8.name()); originalResponse.getWriter().append(String.format(