This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 1949da1cf5e6be10c8e39572a701fef217fa99f1 Author: Mark Thomas <ma...@apache.org> AuthorDate: Fri Dec 6 12:13:15 2019 +0000 Add an atomic method to rotate session ID and return new value. Use it. --- java/org/apache/catalina/Manager.java | 33 +++++++++++++++++++++++ java/org/apache/catalina/connector/Request.java | 3 +-- java/org/apache/catalina/session/ManagerBase.java | 7 +++++ 3 files changed, 41 insertions(+), 2 deletions(-) diff --git a/java/org/apache/catalina/Manager.java b/java/org/apache/catalina/Manager.java index ac9b8fb..86b47e5 100644 --- a/java/org/apache/catalina/Manager.java +++ b/java/org/apache/catalina/Manager.java @@ -215,11 +215,44 @@ public interface Manager { * session ID. * * @param session The session to change the session ID for + * + * @deprecated Use {@link #rotateSessionId(Session)}. + * Will be removed in Tomcat 10 */ + @Deprecated public void changeSessionId(Session session); /** + * Change the session ID of the current session to a new randomly generated + * session ID. + * + * @param session The session to change the session ID for + * + * @return The new session ID + */ + public default String rotateSessionId(Session session) { + String newSessionId = null; + // Assume there new Id is a duplicate until we prove it isn't. The + // chances of a duplicate are extremely low but the current ManagerBase + // code protects against duplicates so this default method does too. + boolean duplicate = true; + do { + newSessionId = getSessionIdGenerator().generateSessionId(); + try { + if (findSession(newSessionId) == null) { + duplicate = false; + } + } catch (IOException ioe) { + // Swallow. An IOE means the ID was known so continue looping + } + } while (duplicate); + changeSessionId(session, newSessionId); + return newSessionId; + } + + + /** * Change the session ID of the current session to a specified session ID. * * @param session The session to change the session ID for diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java index 7cd30f7..8608276 100644 --- a/java/org/apache/catalina/connector/Request.java +++ b/java/org/apache/catalina/connector/Request.java @@ -2675,9 +2675,8 @@ public class Request implements HttpServletRequest { } Manager manager = this.getContext().getManager(); - manager.changeSessionId(session); - String newSessionId = session.getId(); + String newSessionId = manager.rotateSessionId(session); this.changeSessionId(newSessionId); return newSessionId; diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java index de6ae81..5e769c8 100644 --- a/java/org/apache/catalina/session/ManagerBase.java +++ b/java/org/apache/catalina/session/ManagerBase.java @@ -753,8 +753,15 @@ public abstract class ManagerBase extends LifecycleMBeanBase implements Manager @Override public void changeSessionId(Session session) { + rotateSessionId(session); + } + + + @Override + public String rotateSessionId(Session session) { String newId = generateSessionId(); changeSessionId(session, newId, true, true); + return newId; } --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org