Skip to content

Prevent caching of non-document requests in HttpSessionRequestCache #17687

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Prevent caching of non-document requests in HttpSessionRequestCache #17687

wants to merge 1 commit into from
+27 −0

Conversation

therepanic
Copy link
Contributor

@therepanic therepanic commented Aug 11, 2025
edited
Loading

When the browser requests a missing favicon.ico on the login page, it triggers an ERROR dispatch.
This request was mistakenly saved and caused redirection to /error after login instead of the original URL.

This change checks for DispatcherType.ERROR and Sec-Fetch-Dest header to avoid caching such requests.

Closes #17686

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Aug 11, 2025
@therepanic therepanic marked this pull request as ready for review August 11, 2025 13:44
@therepanic
Prevent caching of non-document requests in HttpSessionRequestCache
b24e384 
When the browser requests a missing favicon.ico on the login page, it
triggers an ERROR dispatch.
This request was mistakenly saved and caused redirection to /error after
login instead of the original URL.

This change checks for DispatcherType.ERROR and Sec-Fetch-Dest header to
avoid caching such requests.

Closes spring-projects#17686

Signed-off-by: Andrey Litvitski <[email protected]>
jzheaux
jzheaux requested changes Aug 13, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @therepanic! I've left my feedback inline.

web/src/main/java/org/springframework/security/web/savedrequest/HttpSessionRequestCache.java
@@ -61,6 +63,17 @@ public class HttpSessionRequestCache implements RequestCache {
*/
@Override
public void saveRequest(HttpServletRequest request, HttpServletResponse response) {
boolean documentRequest = "document".equals(request.getHeader("Sec-Fetch-Dest"));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please take a look at RequestCacheConfigurer, which constructs a request matcher that skips /favicon.* requests. If that is in place and you are still seeing this problem, then that's where the fix should go.

Let's first see if we can figure out why the existing request matcher provided in RequestCacheConfigurer is not sufficient. It may be that the best fix is to check this header and the dispatcher type; however, since there is already logic for /favicon.ico in place, I'm curious to first establish why that isn't working here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's also try and keep the fix as small as possible to make it more likely to backport to earlier versions of Spring Security that may also have the bug. Adding support for request dispatcher type and the Sec-Fetch-Dest headers are good ideas, but they are more of an improvement and will likely not be backported.

@jzheaux jzheaux self-assigned this Aug 13, 2025
@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux requested changes

Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) status: waiting-for-feedback We need additional information before we can continue type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The browser accesses a nonexistent resource during login, leading to /error after login
3 participants
@therepanic @jzheaux @spring-projects-issues