Author: kkolinko Date: Sun Nov 11 16:25:18 2012 New Revision: 1408043 URL: http://svn.apache.org/viewvc?rev=1408043&view=rev Log: In FormAuthenticator: If it is configured to change Session IDs, do the change before displaying the login form.
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Modified: tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1408043&r1=1408042&r2=1408043&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java (original) +++ tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Sun Nov 11 16:25:18 2012 @@ -28,6 +28,7 @@ import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.catalina.Manager; import org.apache.catalina.Realm; import org.apache.catalina.Session; import org.apache.catalina.connector.Request; @@ -381,6 +382,15 @@ public class FormAuthenticator return; } + if (getChangeSessionIdOnAuthentication()) { + Session session = request.getSessionInternal(false); + if (session != null) { + Manager manager = request.getContext().getManager(); + manager.changeSessionId(session); + request.changeSessionId(session.getId()); + } + } + // Always use GET for the login page, regardless of the method used String oldMethod = request.getMethod(); request.getCoyoteRequest().method().setString("GET"); --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org