Author: jleroux
Date: Sun Jun 3 08:34:32 2018
New Revision: 1832757
URL:
http://svn.apache.org/viewvc?rev=1832757&view=revLog:
"Applied fix from trunk for revision: 1832756"
------------------------------------------------------------------------
r1832756 | jleroux | 2018-06-03 10:33:09 +0200 (dim. 03 juin 2018) | 21 lignes
Fixed: Session fixation issue
(OFBIZ-10420)
Prevents the session fixation by making Tomcat generate a new jsessionId
(ultimately put in cookie). Only do when really signing in to avoid unnecessary
calls
This improves the way it's done by using request.changeSessionId() instead of
creating a brand new session. So there is no possible side effects on client and
no need to set initial request info (using setInitialRequestInfo)
Thanks: Taher for asking about it
------------------------------------------------------------------------
Modified:
ofbiz/ofbiz-framework/branches/release17.12/ (props changed)
ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
Propchange: ofbiz/ofbiz-framework/branches/release17.12/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sun Jun 3 08:34:32 2018
@@ -10,4 +10,4 @@
/ofbiz/branches/json-integration-refactoring:1634077-1635900
/ofbiz/branches/multitenant20100310:921280-927264
/ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662
+/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756
Modified: ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
URL:
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java?rev=1832757&r1=1832756&r2=1832757&view=diff==============================================================================
--- ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (original)
+++ ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java Sun Jun 3 08:34:32 2018
@@ -327,13 +327,11 @@ public class LoginWorker {
* JSP should generate its own content. This allows an event to override the default content.
*/
public static String login(HttpServletRequest request, HttpServletResponse response) {
- HttpSession session = request.getSession();
+ HttpSession session = request.getSession();
// Prevent session fixation by making Tomcat generate a new jsessionId (ultimately put in cookie).
if (!session.isNew()) { // Only do when really signing in.
- session.invalidate(); // If the client has disabled the use of cookies, then a session will be new on each request, not a good choice on client side!
- session = request.getSession(true);
- UtilHttp.setInitialRequestInfo(request); // We need to put that in place again
+ request.changeSessionId();
}
Delegator delegator = (Delegator) request.getAttribute("delegator");
Locked
