svn commit: r798025 - in /ofbiz/trunk: framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/web.xml

Author: lektran
Date: Mon Jul 27 05:02:19 2009
New Revision: 798025

URL: http://svn.apache.org/viewvc?rev=798025&view=rev
Log:
Added a new ServletContext parameter "forceHttpSession" that when set to true forces the JSESSIONID cookie to be sent via http

This resolves an issue in the ecommerce app where if the initial request to the app is an https request then the session cookie is available via https only.  
Subsequently if at any point the user switches to http then the session is lost along with any data such as the shopping cart.

The solution involves checking if the request is an https request and if the session is new then the user is redirected to an http version of the request.  
The session cookie is then sent along with the http response which will either be the page requested if the request doesn't require https or otherwise another
redirect back to the https version.

Modified:
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
    ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/web.xml

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=798025&r1=798024&r2=798025&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Mon Jul 27 05:02:19 2009
@@ -174,10 +174,10 @@
                     requestMap = controllerConfig.requestMapMap.get(controllerConfig.defaultRequest);
                 }
             }
-
+            boolean forceHttpSession = "true".equals(context.getInitParameter("forceHttpSession"));
             // Check if we SHOULD be secure and are not.
             if (!request.isSecure() && requestMap.securityHttps) {
-                // If the requet method was POST then return an error to avoid problems with XSRF where the request may have come from another machine/program and had the same session ID but was not encrypted as it should have been (we used to let it pass to not lose data since it was too late to protect that data anyway)
+                // If the request method was POST then return an error to avoid problems with XSRF where the request may have come from another machine/program and had the same session ID but was not encrypted as it should have been (we used to let it pass to not lose data since it was too late to protect that data anyway)
                 if (request.getMethod().equalsIgnoreCase("POST")) {
                     // we can't redirect with the body parameters, and for better security from XSRF, just return an error message
                     Locale locale = UtilHttp.getLocale(request);
@@ -216,6 +216,19 @@
                         callRedirect(newUrl, response, request);
                     }
                 }
+            // if this is a new session and the request is secure and forceHttpSession is true then we need the
+            // session cookie to be created via an http response (rather than https) so we'll redirect to an
+            // unsecure request and then if necessary another redirect will occur to transfer back to https
+            } else if (forceHttpSession && request.isSecure() && session.isNew()) {
+                StringBuilder urlBuf = new StringBuilder();
+                urlBuf.append(request.getPathInfo());
+                if (request.getQueryString() != null) {
+                    urlBuf.append("?").append(request.getQueryString());
+                }
+                String newUrl = RequestHandler.makeUrl(request, response, urlBuf.toString(), true, false, false);
+                if (newUrl.toUpperCase().startsWith("HTTP")) {
+                    callRedirect(newUrl, response, request);
+                }
             }
 
             // Check for HTTPS client (x.509) security

Modified: ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/web.xml?rev=798025&r1=798024&r2=798025&view=diff
==============================================================================
--- ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/web.xml (original)
+++ ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/web.xml Mon Jul 27 05:02:19 2009
@@ -49,6 +49,14 @@
         <param-value>component://ecommerce/widget/CommonScreens.xml</param-value>
         <description>The location of the main-decorator screen to use for this webapp; referred to as a context variable in screen def XML files.</description>
     </context-param>
+    <context-param>
+        <param-name>forceHttpSession</param-name>
+        <param-value>true</param-value>
+        <description>
+            Forces the JSESSIONID cookie to be sent via http rather https, helps prevent lost sessions in web apps that
+            frequently switch between http and https.
+        </description>
+    </context-param>
 
     <filter>
         <filter-name>ContextFilter</filter-name>