Issue with SecureAction replacing response session with request session in v12.0.1+
25 views
Skip to first unread message
Shane McDaniel
Jan 15, 2026, 3:17:50 PMJan 15
to Pac4j development mailing list
in 12.0.1 a change was made to SecureAction
which took
return delegate.call(playWebContext.supplementRequest((Http.Request) playWebContext.getNativeJavaRequest()));
and added
return delegate.call(playWebContext.supplementRequest((Http.Request)
playWebContext.getNativeJavaRequest())).thenApply(result -> playWebContext.supplementResponse(result));
The symptom we're seeing in our code base is the following when trying to use play-pac4j beyond 12.0.0
We set a session value 'redirectTo', and in 12.0.0 it is present in the response session cookie as expected. In 12.0.2 and 13.0.0 it is not.
In a debugger, in the above: r.withSession(session);
I observe that r has the session value redirectTo as expected in all the above versions, but session does not, which means that redirectTo is effectively removed from the response with the withSession call.
which took
return delegate.call(playWebContext.supplementRequest((Http.Request) playWebContext.getNativeJavaRequest()));
return delegate.call(playWebContext.supplementRequest((Http.Request)
playWebContext.getNativeJavaRequest())).thenApply(result -> playWebContext.supplementResponse(result));
I believe this introduces a bug, where the desired session data is overwritten with the request's session data.
supplementResponse has the code
logger.trace("supplement response with session: {}", session);
r = r.withSession(session);
supplementResponse has the code
logger.trace("supplement response with session: {}", session);
r = r.withSession(session);
which in effect replaces r's session with the provided one which I believe to be the original request. "supplement' implies to me a merging of data, but withSession simply replaces it.
The symptom we're seeing in our code base is the following when trying to use play-pac4j beyond 12.0.0
We set a session value 'redirectTo', and in 12.0.0 it is present in the response session cookie as expected. In 12.0.2 and 13.0.0 it is not.
In a debugger, in the above: r.withSession(session);
I observe that r has the session value redirectTo as expected in all the above versions, but session does not, which means that redirectTo is effectively removed from the response with the withSession call.
Shane McDaniel
Jan 27, 2026, 10:54:25 AMJan 27
to Pac4j development mailing list
Is anyone able to review my findings? I believe this to be a bug in the library.
Reply all
Reply to author
Forward
0 new messages