svn commit: r934554 - in /tomcat/sandbox/tomcat-oacc/trunk: docs/changelog.xml src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java

Thu, 15 Apr 2010 12:19:40 -0700 

Author: rjung
Date: Thu Apr 15 19:19:15 2010
New Revision: 934554

URL: http://svn.apache.org/viewvc?rev=934554&view=rev
Log:
Address BZ45255: Prevent session fixation by providing option (disabled by 
default)
to change session ID on authentication.

Backport of r918761 from TC 5.5.x.

Modified:
    tomcat/sandbox/tomcat-oacc/trunk/docs/changelog.xml
    
tomcat/sandbox/tomcat-oacc/trunk/src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java

Modified: tomcat/sandbox/tomcat-oacc/trunk/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/sandbox/tomcat-oacc/trunk/docs/changelog.xml?rev=934554&r1=934553&r2=934554&view=diff
==============================================================================
--- tomcat/sandbox/tomcat-oacc/trunk/docs/changelog.xml (original)
+++ tomcat/sandbox/tomcat-oacc/trunk/docs/changelog.xml Thu Apr 15 19:19:15 2010
@@ -31,6 +31,12 @@
 <body>
 <section name="Tomcat OACC 0.1 (rjung)">
   <subsection name="Cluster">
+      <add>
+        <bug>45255</bug>: Add the ability to change session ID on
+        authentication to protect against session fixation attacks. This is
+        disabled by default.
+        Port from Tomcat 5.5. (rjung)
+      </add>
       <changelog>
       <fix>
         <bug>47554</bug>: httpOnly flag not applied to migrated session cookie.

Modified: 
tomcat/sandbox/tomcat-oacc/trunk/src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java
URL: 
http://svn.apache.org/viewvc/tomcat/sandbox/tomcat-oacc/trunk/src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java?rev=934554&r1=934553&r2=934554&view=diff
==============================================================================
--- 
tomcat/sandbox/tomcat-oacc/trunk/src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java
 (original)
+++ 
tomcat/sandbox/tomcat-oacc/trunk/src/share/org/apache/catalina/cluster/session/JvmRouteBinderValve.java
 Thu Apr 15 19:19:15 2010
@@ -406,9 +406,8 @@ public class JvmRouteBinderValve extends
      *            new session id for node migration
      */
     protected void changeRequestSessionID(Request request, Response response, 
String sessionId, String newSessionID) {
-        request.setRequestedSessionId(newSessionID);
-        if(request.isRequestedSessionIdFromCookie())
-            setNewSessionCookie(request, response,newSessionID);
+        request.changeSessionId(newSessionID);
+
         // set orginal sessionid at request, to allow application detect the
         // change
         if (sessionIdAttribute != null && !"".equals(sessionIdAttribute)) {
@@ -451,6 +450,8 @@ public class JvmRouteBinderValve extends
      * @param request current request
      * @param response Tomcat Response
      * @param sessionId The session id
+     * 
+     * @deprecated Use {...@link Request#changeSessionId(String)}
      */
     protected void setNewSessionCookie(Request request,
                                        Response response, String sessionId) {



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to