Alexander Wels has uploaded a new change for review. Change subject: userportal, webadmin: prevent session fixation ......................................................................
userportal, webadmin: prevent session fixation - This patch creates a new session when a user attempts to log in. This enhances the session management. Change-Id: I3df427683c924f10cb59f4af1dd067fcfd21a8f2 Signed-off-by: Alexander Wels <[email protected]> --- M frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/GenericApiGWTServiceImpl.java 1 file changed, 16 insertions(+), 9 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/06/26806/1 diff --git a/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/GenericApiGWTServiceImpl.java b/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/GenericApiGWTServiceImpl.java index 68979c0..d37b8b9 100644 --- a/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/GenericApiGWTServiceImpl.java +++ b/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/GenericApiGWTServiceImpl.java @@ -55,7 +55,7 @@ VdcQueryParametersBase searchParameters) { log.debug("Server: RunQuery invoked!"); //$NON-NLS-1$ debugQuery(search, searchParameters); - searchParameters.setSessionId(getSessionId()); + searchParameters.setSessionId(getSession().getId()); return getBackend().runQuery(search, searchParameters); } @@ -112,7 +112,7 @@ log.debug("Server: RunMultipleAction invoked! [amount of actions: " + multipleParams.size() + "]"); //$NON-NLS-1$ //$NON-NLS-2$ for (VdcActionParametersBase params : multipleParams) { - params.setSessionId(getSessionId()); + params.setSessionId(getSession().getId()); } ArrayList<VdcReturnValueBase> returnValues = @@ -126,7 +126,7 @@ VdcActionParametersBase params) { log.debug("Server: RunAction invoked!"); //$NON-NLS-1$ debugAction(actionType, params); - params.setSessionId(getSessionId()); + params.setSessionId(getSession().getId()); if (noBackend) { VdcReturnValueBase rValue = new VdcReturnValueBase(); @@ -140,8 +140,8 @@ @Override public DbUser getLoggedInUser() { VdcQueryParametersBase queryParams = new VdcQueryParametersBase(); - queryParams.setSessionId(getSessionId()); - queryParams.setHttpSessionId(getSessionId()); + queryParams.setSessionId(getSession().getId()); + queryParams.setHttpSessionId(getSession().getId()); VdcQueryReturnValue vqrv = RunQuery(VdcQueryType.GetUserBySessionId, queryParams); @@ -162,7 +162,7 @@ @Override public VdcReturnValueBase logOff(DbUser userToLogoff) { LogoutUserParameters params = new LogoutUserParameters(userToLogoff.getId()); - params.setSessionId(getSessionId()); + params.setSessionId(getSession().getId()); VdcReturnValueBase returnValue = getBackend().logoff(params); return returnValue; } @@ -170,19 +170,26 @@ @Override public VdcReturnValueBase Login(String userName, String password, String profileName, VdcActionType loginType) { LoginUserParameters params = new LoginUserParameters(profileName, userName, password); - params.setSessionId(getSessionId()); + HttpSession originalSession = getSession(); + // Prevent session fixation. + getSession().invalidate(); + // Calling getSession again after invalidating it should create a new session. + HttpSession newSession = getSession(); + assert !newSession.equals(originalSession) : "new session the same as old session"; //$NON-NLS-1$ + + params.setSessionId(getSession().getId()); params.setActionType(loginType); VdcReturnValueBase returnValue = getBackend().login(params); return returnValue; } - private String getSessionId() { + private HttpSession getSession() { HttpServletRequest request = this.getThreadLocalRequest(); HttpSession session = request.getSession(); log.debug("IP [" + request.getRemoteAddr() + "], Session ID [" + session.getId() + "]"); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ - return session.getId(); + return session; } @Override -- To view, visit http://gerrit.ovirt.org/26806 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I3df427683c924f10cb59f4af1dd067fcfd21a8f2 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: ovirt-engine-3.4 Gerrit-Owner: Alexander Wels <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
