You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ofbiz.apache.org by jl...@apache.org on 2018/06/03 08:33:10 UTC

svn commit: r1832756 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java

Author: jleroux
Date: Sun Jun  3 08:33:09 2018
New Revision: 1832756

URL: http://svn.apache.org/viewvc?rev=1832756&view=rev
Log:
Fixed: Session fixation issue
(OFBIZ-10420)

Prevents the session fixation by making Tomcat generate a new jsessionId 
(ultimately put in cookie). Only do when really signing in to avoid unnecessary 
calls

This improves the way it's done by using request.changeSessionId() instead of 
creating a brand new session. So there is no possible side effects on client and
no need to set initial request info (using setInitialRequestInfo)

Thanks: Taher for asking about it









Modified:
    ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java?rev=1832756&r1=1832755&r2=1832756&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java Sun Jun  3 08:33:09 2018
@@ -327,13 +327,11 @@ public class LoginWorker {
      *         JSP should generate its own content. This allows an event to override the default content.
      */
     public static String login(HttpServletRequest request, HttpServletResponse response) {
-        HttpSession session = request.getSession();
+        HttpSession session = request.getSession();  
         
         // Prevent session fixation by making Tomcat generate a new jsessionId (ultimately put in cookie). 
         if (!session.isNew()) {  // Only do when really signing in. 
-            session.invalidate(); // If the client has disabled the use of cookies, then a session will be new on each request, not a good choice on client side!
-            session = request.getSession(true);
-            UtilHttp.setInitialRequestInfo(request); // We need to put that in place again 
+            request.changeSessionId();
         }
         
         Delegator delegator = (Delegator) request.getAttribute("delegator");