Introduced protections against HTTP header injection / smuggling attacks

src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java

@@ -1,5 +1,6 @@
 package stirling.software.SPDF.config.security;
 
+import io.github.pixee.security.Newlines;
 import java.io.IOException;
 import java.security.cert.X509Certificate;
 import java.util.*;
@@ -163,12 +164,31 @@ public class SecurityConfiguration {
             http.sessionManagement(
                     sessionManagement ->
                             sessionManagement
-                            .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                                     .maximumSessions(10)
                                     .maxSessionsPreventsLogin(false)
                                     .sessionRegistry(sessionRegistry)
-                                    .expiredUrl("/login?logout=true"));
 
+                                    .expiredUrl("/login?logout=true"))
+            .addFilterBefore(
+                    new ForceEagerSessionCreationFilter(), 
+                    SecurityContextHolderFilter.class)
+            .addFilterBefore(new ForceEagerSessionCreationFilter(), SecurityContextHolderFilter.class);
+            
+            http.addFilterBefore(new OncePerRequestFilter() {
+                @Override
+                protected void doFilterInternal(HttpServletRequest request, 
+                        HttpServletResponse response, FilterChain filterChain) 
+                        throws ServletException, IOException {
+                    
+                    if (request.getRequestURI().startsWith("/saml2")) {
+                        response.setHeader("Set-Cookie", 
+                            Newlines.stripAll(response.getHeader("Set-Cookie")
+                                .concat(";SameSite=None;Secure")));
+                    }
+                    filterChain.doFilter(request, response);
+                }
+            }, SessionManagementFilter.class);
+            
             http.authenticationProvider(daoAuthenticationProvider());
             http.requestCache(requestCache -> requestCache.requestCache(new NullRequestCache()));
             http.logout(
@@ -452,6 +472,19 @@ public class SecurityConfiguration {
                         .clientName("OIDC")
                         .build());
     }
+
+    @Bean
+    public CookieSerializer cookieSerializer() {
+        DefaultCookieSerializer serializer = new DefaultCookieSerializer();
+        serializer.setSameSite("None");
+        serializer.setUseSecureCookie(true); // Required when using SameSite=None
+        return serializer;
+    }
+
+    @Bean
+    public HttpSessionEventPublisher httpSessionEventPublisher() {
+        return new HttpSessionEventPublisher();
+    }
     
     @Bean
     @ConditionalOnProperty(

src/main/resources/static/3rdPartyLicenses.json

@@ -1386,13 +1386,6 @@
             "moduleLicense": "Apache License, Version 2.0",
             "moduleLicenseUrl": "https://www.apache.org/licenses/LICENSE-2.0"
         },
-        {
-            "moduleName": "org.springframework.session:spring-session-core",
-            "moduleUrl": "https://spring.io/projects/spring-session",
-            "moduleVersion": "3.4.0",
-            "moduleLicense": "Apache License, Version 2.0",
-            "moduleLicenseUrl": "https://www.apache.org/licenses/LICENSE-2.0"
-        },
         {
             "moduleName": "org.springframework:spring-aop",
             "moduleUrl": "https://github.com/spring-projects/spring-framework",