You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bi...@apache.org on 2002/10/31 07:24:59 UTC

cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/session SessionId.java

billbarker    2002/10/30 22:24:59

  Modified:    src/share/org/apache/tomcat/modules/session SessionId.java
  Log:
  Disable session sharing when switching from HTTPS to HTTP.
  
  There is a new "secureCookie" attribute that can be set to "false" to continue to use the old behavior where session sharing is enabled.
  
  The default behavior could be changed, if consistancy is considered to be more important than security.
  
  Now Craig doesn't have to vote against the 3.3.2 release. ;)
  
  Revision  Changes    Path
  1.21      +13 -0     jakarta-tomcat/src/share/org/apache/tomcat/modules/session/SessionId.java
  
  Index: SessionId.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/session/SessionId.java,v
  retrieving revision 1.20
  retrieving revision 1.21
  diff -u -r1.20 -r1.21
  --- SessionId.java	22 Aug 2002 06:04:29 -0000	1.20
  +++ SessionId.java	31 Oct 2002 06:24:59 -0000	1.21
  @@ -97,6 +97,7 @@
       boolean cookiesFirst=true;
       boolean checkSSLSessionId=false;
       boolean ignoreCase=false;
  +    boolean secureCookie=true;
       
       public SessionId() {
   	ignoreCase= (File.separatorChar  == '\\');
  @@ -124,6 +125,15 @@
   	return ignoreCase;
       }
   
  +    /** Use secure cookies for SSL connections.
  +     */
  +    public void setSecureCookie(boolean sc) {
  +	secureCookie = sc;
  +    }
  +
  +    public boolean getSecureCookie() {
  +	return secureCookie;
  +    }
       
       /** Extract the session id from the request.
        * SessionInterceptor will have to be called _before_ mapper,
  @@ -358,6 +368,9 @@
   	StringBuffer buf = new StringBuffer();
   	buf.append( "JSESSIONID=" ).append( reqSessionId );
   	buf.append( ";Path=" ).append(  sessionPath  );
  +	if( secureCookie && rrequest.isSecure() ) {
  +	    buf.append(";Secure");
  +	}
   	response.addHeader( "Set-Cookie",
   			    buf.toString());
   	if( debug>0) log( "Setting cookie " + buf );
  
  
  

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>