OFBiz OFBiz - Commits

svn commit: r1832662 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

svn commit: r1832662 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java

jleroux@apache.org
Author: jleroux
Date: Fri Jun  1 07:37:27 2018
New Revision: 1832662

URL: http://svn.apache.org/viewvc?rev=1832662&view=rev
Log:
Fixes a session fixation security issue discovered by a client with the security
 audit tool "IBM Security AppScan Enterprise , Version : 9.0.3.7"

Prevents the session fixation by making Tomcat generate a new jsessionId
(ultimately put in cookie).

Only do when really signing in to avoid unnecessary calls
Though if the client has disabled the use of cookies, then a session will be
new on each request, not a good choice on client side!



Modified:
    ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java?rev=1832662&r1=1832661&r2=1832662&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java Fri Jun  1 07:37:27 2018
@@ -328,6 +328,14 @@ public class LoginWorker {
      */
     public static String login(HttpServletRequest request, HttpServletResponse response) {
         HttpSession session = request.getSession();
+        
+        // Prevent session fixation by making Tomcat generate a new jsessionId (ultimately put in cookie).
+        if (!session.isNew()) {  // Only do when really signing in.
+            session.invalidate(); // If the client has disabled the use of cookies, then a session will be new on each request, not a good choice on client side!
+            session = request.getSession(true);
+            UtilHttp.setInitialRequestInfo(request); // We need to put that in place again
+        }
+        
         Delegator delegator = (Delegator) request.getAttribute("delegator");
         String username = request.getParameter("USERNAME");
         String password = request.getParameter("PASSWORD");


Free forum by Nabble Edit this page