I can't find the JIRA reference for this commit, can you place share a JIRA if it exists? Also, I'm not sure why you're calling session.invalidate()? Doesn't request.getSession() already assign a new session depending on client settings?
On Fri, Jun 1, 2018 at 10:37 AM, <jler...@apache.org> wrote: > Author: jleroux > Date: Fri Jun 1 07:37:27 2018 > New Revision: 1832662 > > URL: http://svn.apache.org/viewvc?rev=1832662&view=rev > Log: > Fixes a session fixation security issue discovered by a client with the > security > audit tool "IBM Security AppScan Enterprise , Version : 9.0.3.7" > > Prevents the session fixation by making Tomcat generate a new jsessionId > (ultimately put in cookie). > > Only do when really signing in to avoid unnecessary calls > Though if the client has disabled the use of cookies, then a session will be > new on each request, not a good choice on client side! > > > > Modified: > > ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java > > Modified: > ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java > URL: > http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java?rev=1832662&r1=1832661&r2=1832662&view=diff > ============================================================================== > --- > ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java > (original) > +++ > ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java > Fri Jun 1 07:37:27 2018 > @@ -328,6 +328,14 @@ public class LoginWorker { > */ > public static String login(HttpServletRequest request, > HttpServletResponse response) { > HttpSession session = request.getSession(); > + > + // Prevent session fixation by making Tomcat generate a new > jsessionId (ultimately put in cookie). > + if (!session.isNew()) { // Only do when really signing in. > + session.invalidate(); // If the client has disabled the use of > cookies, then a session will be new on each request, not a good choice on > client side! > + session = request.getSession(true); > + UtilHttp.setInitialRequestInfo(request); // We need to put that > in place again > + } > + > Delegator delegator = (Delegator) request.getAttribute("delegator"); > String username = request.getParameter("USERNAME"); > String password = request.getParameter("PASSWORD"); > >