You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/12/07 17:14:18 UTC
[tomcat] 15/18: Add an atomic method to rotate session ID and
return new value. Use it.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 6dcf03e3784f3d7f0c82e8cd3531cf772ae48a37
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri Dec 6 12:13:15 2019 +0000
Add an atomic method to rotate session ID and return new value. Use it.
---
java/org/apache/catalina/Manager.java | 33 +++++++++++++++++++++++
java/org/apache/catalina/connector/Request.java | 3 +--
java/org/apache/catalina/session/ManagerBase.java | 7 +++++
3 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/Manager.java b/java/org/apache/catalina/Manager.java
index 4c8275f..0fe745b 100644
--- a/java/org/apache/catalina/Manager.java
+++ b/java/org/apache/catalina/Manager.java
@@ -215,11 +215,44 @@ public interface Manager {
* session ID.
*
* @param session The session to change the session ID for
+ *
+ * @deprecated Use {@link #rotateSessionId(Session)}.
+ * Will be removed in Tomcat 10
*/
+ @Deprecated
public void changeSessionId(Session session);
/**
+ * Change the session ID of the current session to a new randomly generated
+ * session ID.
+ *
+ * @param session The session to change the session ID for
+ *
+ * @return The new session ID
+ */
+ public default String rotateSessionId(Session session) {
+ String newSessionId = null;
+ // Assume there new Id is a duplicate until we prove it isn't. The
+ // chances of a duplicate are extremely low but the current ManagerBase
+ // code protects against duplicates so this default method does too.
+ boolean duplicate = true;
+ do {
+ newSessionId = getSessionIdGenerator().generateSessionId();
+ try {
+ if (findSession(newSessionId) == null) {
+ duplicate = false;
+ }
+ } catch (IOException ioe) {
+ // Swallow. An IOE means the ID was known so continue looping
+ }
+ } while (duplicate);
+ changeSessionId(session, newSessionId);
+ return newSessionId;
+ }
+
+
+ /**
* Change the session ID of the current session to a specified session ID.
*
* @param session The session to change the session ID for
diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
index bb4039d..954aa3e 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -2697,9 +2697,8 @@ public class Request implements org.apache.catalina.servlet4preview.http.HttpSer
}
Manager manager = this.getContext().getManager();
- manager.changeSessionId(session);
- String newSessionId = session.getId();
+ String newSessionId = manager.rotateSessionId(session);
this.changeSessionId(newSessionId);
return newSessionId;
diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java
index cccda39..894256d 100644
--- a/java/org/apache/catalina/session/ManagerBase.java
+++ b/java/org/apache/catalina/session/ManagerBase.java
@@ -723,8 +723,15 @@ public abstract class ManagerBase extends LifecycleMBeanBase implements Manager
@Override
public void changeSessionId(Session session) {
+ rotateSessionId(session);
+ }
+
+
+ @Override
+ public String rotateSessionId(Session session) {
String newId = generateSessionId();
changeSessionId(session, newId, true, true);
+ return newId;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org