You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/12/06 21:14:49 UTC
[tomcat] 06/07: Add an atomic method to rotate session ID and
return new value. Use it.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 1949da1cf5e6be10c8e39572a701fef217fa99f1
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri Dec 6 12:13:15 2019 +0000
Add an atomic method to rotate session ID and return new value. Use it.
---
java/org/apache/catalina/Manager.java | 33 +++++++++++++++++++++++
java/org/apache/catalina/connector/Request.java | 3 +--
java/org/apache/catalina/session/ManagerBase.java | 7 +++++
3 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/Manager.java b/java/org/apache/catalina/Manager.java
index ac9b8fb..86b47e5 100644
--- a/java/org/apache/catalina/Manager.java
+++ b/java/org/apache/catalina/Manager.java
@@ -215,11 +215,44 @@ public interface Manager {
* session ID.
*
* @param session The session to change the session ID for
+ *
+ * @deprecated Use {@link #rotateSessionId(Session)}.
+ * Will be removed in Tomcat 10
*/
+ @Deprecated
public void changeSessionId(Session session);
/**
+ * Change the session ID of the current session to a new randomly generated
+ * session ID.
+ *
+ * @param session The session to change the session ID for
+ *
+ * @return The new session ID
+ */
+ public default String rotateSessionId(Session session) {
+ String newSessionId = null;
+ // Assume there new Id is a duplicate until we prove it isn't. The
+ // chances of a duplicate are extremely low but the current ManagerBase
+ // code protects against duplicates so this default method does too.
+ boolean duplicate = true;
+ do {
+ newSessionId = getSessionIdGenerator().generateSessionId();
+ try {
+ if (findSession(newSessionId) == null) {
+ duplicate = false;
+ }
+ } catch (IOException ioe) {
+ // Swallow. An IOE means the ID was known so continue looping
+ }
+ } while (duplicate);
+ changeSessionId(session, newSessionId);
+ return newSessionId;
+ }
+
+
+ /**
* Change the session ID of the current session to a specified session ID.
*
* @param session The session to change the session ID for
diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
index 7cd30f7..8608276 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -2675,9 +2675,8 @@ public class Request implements HttpServletRequest {
}
Manager manager = this.getContext().getManager();
- manager.changeSessionId(session);
- String newSessionId = session.getId();
+ String newSessionId = manager.rotateSessionId(session);
this.changeSessionId(newSessionId);
return newSessionId;
diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java
index de6ae81..5e769c8 100644
--- a/java/org/apache/catalina/session/ManagerBase.java
+++ b/java/org/apache/catalina/session/ManagerBase.java
@@ -753,8 +753,15 @@ public abstract class ManagerBase extends LifecycleMBeanBase implements Manager
@Override
public void changeSessionId(Session session) {
+ rotateSessionId(session);
+ }
+
+
+ @Override
+ public String rotateSessionId(Session session) {
String newId = generateSessionId();
changeSessionId(session, newId, true, true);
+ return newId;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org