remm 2005/02/07 13:56:32
Modified: catalina/src/share/org/apache/catalina/session
ManagerBase.java StandardManager.java
catalina/src/share/org/apache/catalina Manager.java
modules/cluster/src/share/org/apache/catalina/cluster/session
DeltaManager.java
catalina/src/share/org/apache/catalina/connector
Request.java
catalina/src/share/org/apache/catalina/core
ApplicationHttpRequest.java
Log:
- Add new Manager.createSession(sessionId) method, allowing the client to
"specify" the session id which should be used using a cookie
when using emptySessionPath="true".
- This fixes session tracking when using emptySessionPath="true".
- The old createSession() method is deprecated.
Revision Changes Path
1.38 +43 -6
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/ManagerBase.java
Index: ManagerBase.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/ManagerBase.java,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- ManagerBase.java 22 Nov 2004 14:50:23 -0000 1.37
+++ ManagerBase.java 7 Feb 2005 21:56:32 -0000 1.38
@@ -730,12 +730,31 @@
* id will be assigned by this method, and available via the getId()
* method of the returned session. If a new session cannot be created
* for any reason, return <code>null</code>.
- *
+ *
* @exception IllegalStateException if a new session cannot be
* instantiated for any reason
+ * @deprecated
*/
public Session createSession() {
-
+ return createSession(null);
+ }
+
+
+ /**
+ * Construct and return a new session object, based on the default
+ * settings specified by this Manager's properties. The session
+ * id specified will be used as the session id.
+ * If a new session cannot be created for any reason, return
+ * <code>null</code>.
+ *
+ * @param sessionId The session id which should be used to create the
+ * new session; if <code>null</code>, a new session id will be
+ * generated
+ * @exception IllegalStateException if a new session cannot be
+ * instantiated for any reason
+ */
+ public Session createSession(String sessionId) {
+
// Recycle or create a Session instance
Session session = createEmptySession();
@@ -744,15 +763,33 @@
session.setValid(true);
session.setCreationTime(System.currentTimeMillis());
session.setMaxInactiveInterval(this.maxInactiveInterval);
- String sessionId = generateSessionId();
+ if (sessionId == null) {
+ sessionId = generateSessionId();
+ // FIXME: Code to be used in case route replacement is needed
+ /*
+ } else {
+ String jvmRoute = getJvmRoute();
+ if (getJvmRoute() != null) {
+ String requestJvmRoute = null;
+ int index = sessionId.indexOf(".");
+ if (index > 0) {
+ requestJvmRoute = sessionId
+ .substring(index + 1, sessionId.length());
+ }
+ if (requestJvmRoute != null &&
!requestJvmRoute.equals(jvmRoute)) {
+ sessionId = sessionId.substring(0, index) + "." +
jvmRoute;
+ }
+ }
+ */
+ }
session.setId(sessionId);
sessionCounter++;
return (session);
}
-
-
+
+
/**
* Get a session from the recycled ones or create a new empty one.
* The PersistentManager manager does not need to create session data
1.28 +3 -3
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/StandardManager.java
Index: StandardManager.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/StandardManager.java,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- StandardManager.java 22 Nov 2004 16:35:18 -0000 1.27
+++ StandardManager.java 7 Feb 2005 21:56:32 -0000 1.28
@@ -278,7 +278,7 @@
* @exception IllegalStateException if a new session cannot be
* instantiated for any reason
*/
- public Session createSession() {
+ public Session createSession(String sessionId) {
if ((maxActiveSessions >= 0) &&
(sessions.size() >= maxActiveSessions)) {
@@ -287,7 +287,7 @@
(sm.getString("standardManager.createSession.ise"));
}
- return (super.createSession());
+ return (super.createSession(sessionId));
}
1.15 +22 -2
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/Manager.java
Index: Manager.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/Manager.java,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- Manager.java 7 Sep 2004 20:57:02 -0000 1.14
+++ Manager.java 7 Feb 2005 21:56:32 -0000 1.15
@@ -257,6 +257,7 @@
*/
public void addPropertyChangeListener(PropertyChangeListener listener);
+
/**
* Get a session from the recycled ones or create a new empty one.
* The PersistentManager manager does not need to create session data
@@ -264,20 +265,39 @@
*/
public Session createEmptySession();
+
/**
* Construct and return a new session object, based on the default
* settings specified by this Manager's properties. The session
* id will be assigned by this method, and available via the getId()
* method of the returned session. If a new session cannot be created
* for any reason, return <code>null</code>.
- *
+ *
* @exception IllegalStateException if a new session cannot be
* instantiated for any reason
+ * @deprecated
*/
public Session createSession();
/**
+ * Construct and return a new session object, based on the default
+ * settings specified by this Manager's properties. The session
+ * id specified will be used as the session id.
+ * If a new session cannot be created for any reason, return
+ * <code>null</code>.
+ *
+ * @param sessionId The session id which should be used to create the
+ * new session; if <code>null</code>, the session
+ * id will be assigned by this method, and available via the getId()
+ * method of the returned session.
+ * @exception IllegalStateException if a new session cannot be
+ * instantiated for any reason
+ */
+ public Session createSession(String sessionId);
+
+
+ /**
* Return the active Session, associated with this Manager, with the
* specified session id (if any); otherwise return <code>null</code>.
*
1.37 +13 -11
jakarta-tomcat-catalina/modules/cluster/src/share/org/apache/catalina/cluster/session/DeltaManager.java
Index: DeltaManager.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-catalina/modules/cluster/src/share/org/apache/catalina/cluster/session/DeltaManager.java,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- DeltaManager.java 22 Nov 2004 14:51:18 -0000 1.36
+++ DeltaManager.java 7 Feb 2005 21:56:32 -0000 1.37
@@ -235,8 +235,8 @@
* @exception IllegalStateException if a new session cannot be
* instantiated for any reason
*/
- public Session createSession() {
- return createSession(true);
+ public Session createSession(String sessionId) {
+ return createSession(sessionId, true);
}
@@ -247,7 +247,7 @@
* @param distribute
* @return
*/
- public Session createSession(boolean distribute) {
+ public Session createSession(String sessionId, boolean distribute) {
if ((maxActiveSessions >= 0) &&
(sessions.size() >= maxActiveSessions)) {
@@ -258,13 +258,14 @@
// Recycle or create a Session instance
DeltaSession session = getNewDeltaSession();
- String sessionId = generateSessionId();
-
- synchronized (sessions) {
- while (sessions.get(sessionId) != null) { // Guarantee uniqueness
- duplicates++;
+ if (sessionId == null) {
sessionId = generateSessionId();
- }
+ synchronized (sessions) {
+ while (sessions.get(sessionId) != null) { // Guarantee
uniqueness
+ duplicates++;
+ sessionId = generateSessionId();
+ }
+ }
}
session.setNew(true);
@@ -849,7 +850,8 @@
if (log.isDebugEnabled())
log.debug("Manager (" + name + ") received
session ("
+ msg.getSessionID() + ") created.");
- DeltaSession session =
(DeltaSession)createSession(false);
+ DeltaSession session =
+ (DeltaSession)createSession(msg.getSessionID(),
false);
// Q: Why inform all session listener a replicate
node?
session.setId(msg.getSessionID());
session.setNew(false);
1.19 +10 -2
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/connector/Request.java
Index: Request.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/connector/Request.java,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- Request.java 20 Nov 2004 21:10:47 -0000 1.18
+++ Request.java 7 Feb 2005 21:56:32 -0000 1.19
@@ -2196,7 +2196,15 @@
(sm.getString("coyoteRequest.sessionCreateCommitted"));
}
- session = manager.createSession();
+ // Attempt to reuse session id if one was submitted in a cookie
+ // Do not reuse the session id if it is from a URL, to prevent
possible
+ // phishing attacks
+ if (connector.getEmptySessionPath()
+ && isRequestedSessionIdFromCookie()) {
+ session = manager.createSession(getRequestedSessionId());
+ } else {
+ session = manager.createSession(null);
+ }
// Creating a new session cookie based on that session
if ((session != null) && (getContext() != null)
1.25 +3 -8
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java
Index: ApplicationHttpRequest.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- ApplicationHttpRequest.java 15 Jan 2005 20:31:21 -0000 1.24
+++ ApplicationHttpRequest.java 7 Feb 2005 21:56:32 -0000 1.25
@@ -529,13 +529,8 @@
// Ignore
}
if (localSession == null && create) {
- localSession = context.getManager().createEmptySession();
- localSession.setNew(true);
- localSession.setValid(true);
- localSession.setCreationTime(System.currentTimeMillis());
- localSession.setMaxInactiveInterval
- (context.getManager().getMaxInactiveInterval());
- localSession.setId(other.getId());
+ localSession =
+ context.getManager().createSession(other.getId());
}
if (localSession != null) {
localSession.access();
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
