From dbe225715d4eab3b161a56d2d9f37fefdc082d60 Mon Sep 17 00:00:00 2001 From: Pedro Igor Date: Thu, 5 Jan 2023 01:13:25 -0800 Subject: [PATCH] Wrong auth session id being used when validating auth session id cookies (#16253) Closes #16252 Closes #16132 --- .../services/managers/AuthenticationSessionManager.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java index f815259185e..fd700be12b0 100644 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationSessionManager.java @@ -202,7 +202,7 @@ public class AuthenticationSessionManager { public boolean test(String id) { StickySessionEncoderProvider encoder = session.getProvider(StickySessionEncoderProvider.class); // in case the id is encoded with a route when running in a cluster - String decodedId = encoder.decodeSessionId(cookiesVal.iterator().next()); + String decodedId = encoder.decodeSessionId(id); // we can't blindly trust the cookie and assume it is valid and referencing a valid root auth session // but make sure the root authentication session actually exists // without this check there is a risk of resolving user sessions from invalid root authentication sessions as they share the same id