I've attached 1 patch, 2 modified interceptors, and one new interceptor. These all work with 3.2b6. Please consider these for 3.2b7. Here is what they do: CookieTools.patch: This patch fixes cookie deletion. The problem was that to delete a cookie, you use setMaxAge(0). The implementation of CookieTools adds the max age onto the current time of the server. Thats fine, but the RFCs refer to setting the time into the past for deletion. This patch sets the expire time on the cookie way back into the past. It at least fixes it for me. SessionInterceptor1.java & StandardSessionInterceptor1.java: This patch modifies the behavior of session cookies. The way the original worked was SessionInterceptor would find the first cookie named JSESSIONID, and store it as the requested session ID. StandardSessionInterceptor would then check the requested session ID to see if it was valid in the selected context. This version removes the cookie checking from SessionInterceptor, and moves all the cookie handling to StandardSessionInterceptor. This gives us access to the context so that we can check all the cookies named JSESSIONID to find a valid one for that context. That allows a / and a non-/ cookie to both be present and it will still pick the right one. These two new interceptors should be used together, and replace the original SessionInterceptor and StandardSessionInterceptor. These also set the jvmRoute on the / context. We can do that now because it will always get the right session ID for the context. SessionCookieSanitizer.java: This is a new interceptor that will hide all cookies named JSESSIONID that are not valid sessions from the webapp. In the case of a good app and a malicious app, if the one user logged in on the good app, and then accessed the malicious app, the malicious app could send the session ID to someone who could then masquerade as the user in the good app. Both SessionInterceptor1 and StandardSessionInterceptor1 are mostly the same as the originals, but some code has been moved. Sending these as patches might make it unclear where the changes had occured and why, so I'm sending them in their entirity. Paul Frieden "Craig R. McClanahan" wrote: > > It's been a week now, and I've committed > 20 patches to the 3.2 tree, > ranging from simple tweaks to security problems to spec compliance > bugs. I believe that I've gotten all of the critical bug reports > submitted on the mailing lists or via BugRat. Does anyone know of any > I've missed (see below for one issue I know is outstanding)? > > What I'd like to do is build a "beta 7" release this afternoon and post > it. That will give people a chance to pound on it. Any critical bugs > we find will need to be fixed, but we need to hold off on changing > non-essential stuff so we can get a final 3.2 release out the door. > > NOTE: One issue that's been discussed in the last couple of days is > problems supporting the "load balancing" feature for root webapps. I > haven't seen a proposed patch for this, but understand from the comments > of people that have tried kludges to work around it -- and it seems > unreasonable to risk destabilizing things at this late date. I suggest > that any work on fixing this problem be deferred to a post-3.2-final > maintenance cycle. > > Craig McClanahan > > PS: Thanks to everyone for all the bug reports, and to Larry and Nacho > for chipping in on the commits! > > PPS: When the 3.2 final release is completed, my personal focus is > going to return to the Tomcat 4.0 code base (which does not suffer from > any of the bugs patched in 3.2, although I did find one 4.0 bug along > the way :-). If and when bugs show up in 3.2 final, I will be happy to > commit patches that people supply -- but any big debugging effort or > major new work on the 3.x track will need to be done by someone else. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED]
StandardSessionInterceptor1.java
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]