details: https://code.openbravo.com/erp/devel/pi/rev/7ef6d8ce4b58 changeset: 32379:7ef6d8ce4b58 user: Martin Taal <martin.taal <at> openbravo.com> date: Thu Jun 29 11:28:15 2017 +0200 summary: Fixes issue 36364: Http Sessions are registered in SessionListener with wrong session id, stateless requests should not be registered Prevent stateless request from being registered in SessionListener. Force the correct id in the Session record
diffstat: src/org/openbravo/erpCommon/security/SessionLogin.java | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) diffs (50 lines): diff -r 1a7aad006212 -r 7ef6d8ce4b58 src/org/openbravo/erpCommon/security/SessionLogin.java --- a/src/org/openbravo/erpCommon/security/SessionLogin.java Wed Jun 28 14:57:06 2017 +0200 +++ b/src/org/openbravo/erpCommon/security/SessionLogin.java Thu Jun 29 11:28:15 2017 +0200 @@ -27,6 +27,7 @@ import javax.servlet.http.HttpSession; import org.apache.log4j.Logger; +import org.openbravo.authentication.AuthenticationManager; import org.openbravo.base.provider.OBProvider; import org.openbravo.dal.core.OBContext; import org.openbravo.dal.service.OBDal; @@ -52,6 +53,7 @@ protected String serverUrl; private String username; private String status; + private boolean stateless; public SessionLogin(String ad_client_id, String ad_org_id, String ad_user_id) throws ServletException { @@ -81,6 +83,7 @@ if (request != null) { defaultParameters(request); } + stateless = AuthenticationManager.isStatelessRequest(request); } public void setServerUrl(String strAddr) { @@ -115,7 +118,9 @@ public int save() throws ServletException { if (getSessionID().equals("")) { String key = SequenceIdData.getUUID(); - SessionListener.addSession(key); + if (!stateless) { + SessionListener.addSession(key); + } if (key == null || key.equals("")) throw new ServletException("SessionLogin.save() - key creation failed"); setSessionID(key); @@ -142,6 +147,11 @@ session.setSessionActive(sessionActive); session.setLoginStatus(status); session.setUsername(username); + + // ensure that the object in the db has the same value as the session id + session.setId(getSessionID()); + session.setNewOBObject(true); + OBDal.getInstance().save(session); SessionInfo.auditThisThread(false); OBDal.getInstance().commitAndClose(); ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openbravo-commits mailing list Openbravo-commits@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openbravo-commits