Fixed security vulnerability with cookies not being invalidated properly
Request headers were not properly set for the Request object,
leading to the Cookie header missing when logging out, which then left
the cookie in memory. Rogue actor who gained access to the cookie could then
use the cookie to access the panel.
Made cookie expiry configurable with 'Webserver.Security.Cookie_expires_after'
Due to cookie persistence there is no way to log everyone out of the panel.
This will be addressed in a future commit with addition of a command.
Affects issues:
- Close#1740
Applied some thought to how this stuff should work.
- nulls now possible in the column when value is not available
- Called "Join addresses" instead of hostnames
- Remove bogus data with a patch
- Proper hostname method for spigot
- Removed method calls from nukkit since there was nothing that sounded
proper
Affects:
- Close#1798 (Copied all code over)
Bugs fixed:
- LinkCommands: The return value of "orElseThrow" must be used.
- RegistrationCommands: Optional isPresent not same instance as Optional get
Smells fixed:
- Plan: "logger" is the name of a field in "JavaPlugin"
- PlayersTableJSONCreator: Reduce the total number of break and continue statements in this loop to use at most one.
- BukkitAFKListener, SpongeAFKListener, NukkitAFKListener, PlanAPI, CapabilityService: match the regular expression '^[a-z][a-zA-Z0-9]*$'
- TaskSystem: Reorder the modifiers to comply with the Java Language Specification.
- EntityNameFormatter: StringUtils.removeAll moved to RegExUtils.removeAll
- FiltersJSONResolver: fulfill compareTo contract
- ExportTask: Removed duplicate string literal
- FinishedSession.Id: Rename field "id"
- Session save is now properly waited for when plugin disables
The session save attempt times out after 4 seconds instead of
waiting forever
- If shutdown save is not performed, instead of attempting again on JVM death,
the sessions are placed into a file that is read next time the plugin
enables.
Affects issues:
- Fixed#1770