You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by la...@apache.org on 2001/03/06 17:07:45 UTC
cvs commit: jakarta-tomcat/src/facade22/org/apache/tomcat/facade HttpServletRequestFacade.java
larryi 01/03/06 08:07:45
Modified: src/facade22/org/apache/tomcat/facade
HttpServletRequestFacade.java
Log:
Port patch from tomcat_32 for part of Bugzilla Bug #160
The isRequestedSessionIdValid() should be based on the value of
getRequestedSessionId().Instead of just checking that getSession(false)
returns a non-null value (i.e. there is an active session) we must
also test that the active session's ID matches the requested session id.
Patch By: Marc Saegesser
Revision Changes Path
1.20 +6 -3 jakarta-tomcat/src/facade22/org/apache/tomcat/facade/HttpServletRequestFacade.java
Index: HttpServletRequestFacade.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/facade22/org/apache/tomcat/facade/HttpServletRequestFacade.java,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- HttpServletRequestFacade.java 2001/02/27 02:49:27 1.19
+++ HttpServletRequestFacade.java 2001/03/06 16:07:44 1.20
@@ -451,9 +451,12 @@
}
public boolean isRequestedSessionIdValid() {
- // so here we just assume that if we have a session it's,
- // all good, else not.
- return null != request.getSession(false);
+ boolean isvalid = false;
+ ServerSession session = (ServerSession)request.getSession(false);
+ if(session != null && session.getId().equals(getRequestedSessionId()))
+ isvalid = true;
+
+ return isvalid;
}
/** Adapter - Request uses getSessionIdSource
RE: cvs commit: jakarta-tomcat/src/facade22/org/apache/tomcat/facade HttpServletRequestFacade.java
Posted by Marc Saegesser <ma...@apropos.com>.
There may be more to this. This fix uncovered other places that were using
the requested session id and assuming that it was really the active session
id. I'll be committing a fix for that problem later today. I'm not as
familiar with the 3.3. code base but I'll try to port the patch.
> -----Original Message-----
> From: larryi@apache.org [mailto:larryi@apache.org]
> Sent: Tuesday, March 06, 2001 10:08 AM
> To: jakarta-tomcat-cvs@apache.org
> Subject: cvs commit:
> jakarta-tomcat/src/facade22/org/apache/tomcat/facade
> HttpServletRequestFacade.java
>
>
> larryi 01/03/06 08:07:45
>
> Modified: src/facade22/org/apache/tomcat/facade
> HttpServletRequestFacade.java
> Log:
> Port patch from tomcat_32 for part of Bugzilla Bug #160
>
> The isRequestedSessionIdValid() should be based on the value of
> getRequestedSessionId().Instead of just checking that getSession(false)
> returns a non-null value (i.e. there is an active session) we must
> also test that the active session's ID matches the requested session id.
>
> Patch By: Marc Saegesser
>
> Revision Changes Path
> 1.20 +6 -3
> jakarta-tomcat/src/facade22/org/apache/tomcat/facade/HttpServletRe
questFacade.java
>
> Index: HttpServletRequestFacade.java
> ===================================================================
> RCS file:
> /home/cvs/jakarta-tomcat/src/facade22/org/apache/tomcat/facade/Htt
pServletRequestFacade.java,v
> retrieving revision 1.19
> retrieving revision 1.20
> diff -u -r1.19 -r1.20
> --- HttpServletRequestFacade.java 2001/02/27 02:49:27 1.19
> +++ HttpServletRequestFacade.java 2001/03/06 16:07:44 1.20
> @@ -451,9 +451,12 @@
> }
>
> public boolean isRequestedSessionIdValid() {
> - // so here we just assume that if we have a session it's,
> - // all good, else not.
> - return null != request.getSession(false);
> + boolean isvalid = false;
> + ServerSession session =
> (ServerSession)request.getSession(false);
> + if(session != null &&
> session.getId().equals(getRequestedSessionId()))
> + isvalid = true;
> +
> + return isvalid;
> }
>
> /** Adapter - Request uses getSessionIdSource
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-dev-help@jakarta.apache.org