Details
-
Bug
-
Resolution: Duplicate
-
Medium
-
None
-
3.2.0
-
None
Description
Verification of CAPTCHA is broken on Stash 3.2. The problem is indirectly caused by use of Hazelcast's session replication. Hazelcast wraps the Tomcat HttpSession with its own wrapper, which has a different session ID.
When the Captcha challenge is created, the captcha token is stored against the session ID obtained from HttpSession.getId(). However, when the provided token is verified, it's retrieved using HttpServletRequest.getRequestedSessionId() which differs. Therefore the token is not found and an error occurs.
Attachments
Issue Links
- duplicates
-
BSERV-5083 The CAPTCHA service found itself in an awkward situation
- Closed