Re: svn commit: r1832662 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java

Sat, 02 Jun 2018 15:34:33 -0700 

I can't find the JIRA reference for this commit, can you place share a
JIRA if it exists? Also, I'm not sure why you're calling
session.invalidate()? Doesn't request.getSession() already assign a
new session depending on client settings?

On Fri, Jun 1, 2018 at 10:37 AM,  <jler...@apache.org> wrote:
> Author: jleroux
> Date: Fri Jun  1 07:37:27 2018
> New Revision: 1832662
>
> URL: http://svn.apache.org/viewvc?rev=1832662&view=rev
> Log:
> Fixes a session fixation security issue discovered by a client with the 
> security
>  audit tool "IBM Security AppScan Enterprise , Version : 9.0.3.7"
>
> Prevents the session fixation by making Tomcat generate a new jsessionId
> (ultimately put in cookie).
>
> Only do when really signing in to avoid unnecessary calls
> Though if the client has disabled the use of cookies, then a session will be
> new on each request, not a good choice on client side!
>
>
>
> Modified:
>     
> ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
>
> Modified: 
> ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
> URL: 
> http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java?rev=1832662&r1=1832661&r2=1832662&view=diff
> ==============================================================================
> --- 
> ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
>  (original)
> +++ 
> ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
>  Fri Jun  1 07:37:27 2018
> @@ -328,6 +328,14 @@ public class LoginWorker {
>       */
>      public static String login(HttpServletRequest request, 
> HttpServletResponse response) {
>          HttpSession session = request.getSession();
> +
> +        // Prevent session fixation by making Tomcat generate a new 
> jsessionId (ultimately put in cookie).
> +        if (!session.isNew()) {  // Only do when really signing in.
> +            session.invalidate(); // If the client has disabled the use of 
> cookies, then a session will be new on each request, not a good choice on 
> client side!
> +            session = request.getSession(true);
> +            UtilHttp.setInitialRequestInfo(request); // We need to put that 
> in place again
> +        }
> +
>          Delegator delegator = (Delegator) request.getAttribute("delegator");
>          String username = request.getParameter("USERNAME");
>          String password = request.getParameter("PASSWORD");
>
>

Reply via email to