Skip to content

concord-server: use JSON for remember-me cookies#1333

Draft
ibodrov wants to merge 1 commit into
masterfrom
ib/cookie-serialization
Draft

concord-server: use JSON for remember-me cookies#1333
ibodrov wants to merge 1 commit into
masterfrom
ib/cookie-serialization

Conversation

@ibodrov
Copy link
Copy Markdown
Collaborator

@ibodrov ibodrov commented May 25, 2026
edited
Loading

Replace Java object serialization (ObjectOutputStream) with JSON-based serialization for remember-me cookie principals.

@ibodrov
concord-server: use JSON for remember-me cookies
82c5dac 
Replace Java object serialization (ObjectOutputStream) with Jackson
JSON serialization for remember-me cookie principals. This eliminates
the remote code execution risk from deserialization gadget chains.

Uses Jackson annotations and sealed records for clean polymorphic
serialization:
- PrincipalCollectionData -- top-level cookie container
- PrincipalPayload (sealed interface) -- @JsonTypeInfo/@JsonSubTypes
  polymorphic dispatch
- PrincipalPayload.Up -- UsernamePasswordToken
- PrincipalPayload.Api -- concord ApiKey

Legacy Java-serialized cookies fall back to ObjectInputFilter-protected
deserialization, upgraded to JSON on next login.
@ibodrov ibodrov force-pushed the ib/cookie-serialization branch from 3e207d6 to 82c5dac Compare May 25, 2026 03:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ibodrov