remm 2005/02/07 13:56:32 Modified: catalina/src/share/org/apache/catalina/session ManagerBase.java StandardManager.java catalina/src/share/org/apache/catalina Manager.java modules/cluster/src/share/org/apache/catalina/cluster/session DeltaManager.java catalina/src/share/org/apache/catalina/connector Request.java catalina/src/share/org/apache/catalina/core ApplicationHttpRequest.java Log: - Add new Manager.createSession(sessionId) method, allowing the client to "specify" the session id which should be used using a cookie when using emptySessionPath="true". - This fixes session tracking when using emptySessionPath="true". - The old createSession() method is deprecated. Revision Changes Path 1.38 +43 -6 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/ManagerBase.java Index: ManagerBase.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/ManagerBase.java,v retrieving revision 1.37 retrieving revision 1.38 diff -u -r1.37 -r1.38 --- ManagerBase.java 22 Nov 2004 14:50:23 -0000 1.37 +++ ManagerBase.java 7 Feb 2005 21:56:32 -0000 1.38 @@ -730,12 +730,31 @@ * id will be assigned by this method, and available via the getId() * method of the returned session. If a new session cannot be created * for any reason, return <code>null</code>. - * + * * @exception IllegalStateException if a new session cannot be * instantiated for any reason + * @deprecated */ public Session createSession() { - + return createSession(null); + } + + + /** + * Construct and return a new session object, based on the default + * settings specified by this Manager's properties. The session + * id specified will be used as the session id. + * If a new session cannot be created for any reason, return + * <code>null</code>. + * + * @param sessionId The session id which should be used to create the + * new session; if <code>null</code>, a new session id will be + * generated + * @exception IllegalStateException if a new session cannot be + * instantiated for any reason + */ + public Session createSession(String sessionId) { + // Recycle or create a Session instance Session session = createEmptySession(); @@ -744,15 +763,33 @@ session.setValid(true); session.setCreationTime(System.currentTimeMillis()); session.setMaxInactiveInterval(this.maxInactiveInterval); - String sessionId = generateSessionId(); + if (sessionId == null) { + sessionId = generateSessionId(); + // FIXME: Code to be used in case route replacement is needed + /* + } else { + String jvmRoute = getJvmRoute(); + if (getJvmRoute() != null) { + String requestJvmRoute = null; + int index = sessionId.indexOf("."); + if (index > 0) { + requestJvmRoute = sessionId + .substring(index + 1, sessionId.length()); + } + if (requestJvmRoute != null && !requestJvmRoute.equals(jvmRoute)) { + sessionId = sessionId.substring(0, index) + "." + jvmRoute; + } + } + */ + } session.setId(sessionId); sessionCounter++; return (session); } - - + + /** * Get a session from the recycled ones or create a new empty one. * The PersistentManager manager does not need to create session data 1.28 +3 -3 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/StandardManager.java Index: StandardManager.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/StandardManager.java,v retrieving revision 1.27 retrieving revision 1.28 diff -u -r1.27 -r1.28 --- StandardManager.java 22 Nov 2004 16:35:18 -0000 1.27 +++ StandardManager.java 7 Feb 2005 21:56:32 -0000 1.28 @@ -278,7 +278,7 @@ * @exception IllegalStateException if a new session cannot be * instantiated for any reason */ - public Session createSession() { + public Session createSession(String sessionId) { if ((maxActiveSessions >= 0) && (sessions.size() >= maxActiveSessions)) { @@ -287,7 +287,7 @@ (sm.getString("standardManager.createSession.ise")); } - return (super.createSession()); + return (super.createSession(sessionId)); } 1.15 +22 -2 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/Manager.java Index: Manager.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/Manager.java,v retrieving revision 1.14 retrieving revision 1.15 diff -u -r1.14 -r1.15 --- Manager.java 7 Sep 2004 20:57:02 -0000 1.14 +++ Manager.java 7 Feb 2005 21:56:32 -0000 1.15 @@ -257,6 +257,7 @@ */ public void addPropertyChangeListener(PropertyChangeListener listener); + /** * Get a session from the recycled ones or create a new empty one. * The PersistentManager manager does not need to create session data @@ -264,20 +265,39 @@ */ public Session createEmptySession(); + /** * Construct and return a new session object, based on the default * settings specified by this Manager's properties. The session * id will be assigned by this method, and available via the getId() * method of the returned session. If a new session cannot be created * for any reason, return <code>null</code>. - * + * * @exception IllegalStateException if a new session cannot be * instantiated for any reason + * @deprecated */ public Session createSession(); /** + * Construct and return a new session object, based on the default + * settings specified by this Manager's properties. The session + * id specified will be used as the session id. + * If a new session cannot be created for any reason, return + * <code>null</code>. + * + * @param sessionId The session id which should be used to create the + * new session; if <code>null</code>, the session + * id will be assigned by this method, and available via the getId() + * method of the returned session. + * @exception IllegalStateException if a new session cannot be + * instantiated for any reason + */ + public Session createSession(String sessionId); + + + /** * Return the active Session, associated with this Manager, with the * specified session id (if any); otherwise return <code>null</code>. * 1.37 +13 -11 jakarta-tomcat-catalina/modules/cluster/src/share/org/apache/catalina/cluster/session/DeltaManager.java Index: DeltaManager.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-catalina/modules/cluster/src/share/org/apache/catalina/cluster/session/DeltaManager.java,v retrieving revision 1.36 retrieving revision 1.37 diff -u -r1.36 -r1.37 --- DeltaManager.java 22 Nov 2004 14:51:18 -0000 1.36 +++ DeltaManager.java 7 Feb 2005 21:56:32 -0000 1.37 @@ -235,8 +235,8 @@ * @exception IllegalStateException if a new session cannot be * instantiated for any reason */ - public Session createSession() { - return createSession(true); + public Session createSession(String sessionId) { + return createSession(sessionId, true); } @@ -247,7 +247,7 @@ * @param distribute * @return */ - public Session createSession(boolean distribute) { + public Session createSession(String sessionId, boolean distribute) { if ((maxActiveSessions >= 0) && (sessions.size() >= maxActiveSessions)) { @@ -258,13 +258,14 @@ // Recycle or create a Session instance DeltaSession session = getNewDeltaSession(); - String sessionId = generateSessionId(); - - synchronized (sessions) { - while (sessions.get(sessionId) != null) { // Guarantee uniqueness - duplicates++; + if (sessionId == null) { sessionId = generateSessionId(); - } + synchronized (sessions) { + while (sessions.get(sessionId) != null) { // Guarantee uniqueness + duplicates++; + sessionId = generateSessionId(); + } + } } session.setNew(true); @@ -849,7 +850,8 @@ if (log.isDebugEnabled()) log.debug("Manager (" + name + ") received session (" + msg.getSessionID() + ") created."); - DeltaSession session = (DeltaSession)createSession(false); + DeltaSession session = + (DeltaSession)createSession(msg.getSessionID(), false); // Q: Why inform all session listener a replicate node? session.setId(msg.getSessionID()); session.setNew(false); 1.19 +10 -2 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/connector/Request.java Index: Request.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/connector/Request.java,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- Request.java 20 Nov 2004 21:10:47 -0000 1.18 +++ Request.java 7 Feb 2005 21:56:32 -0000 1.19 @@ -2196,7 +2196,15 @@ (sm.getString("coyoteRequest.sessionCreateCommitted")); } - session = manager.createSession(); + // Attempt to reuse session id if one was submitted in a cookie + // Do not reuse the session id if it is from a URL, to prevent possible + // phishing attacks + if (connector.getEmptySessionPath() + && isRequestedSessionIdFromCookie()) { + session = manager.createSession(getRequestedSessionId()); + } else { + session = manager.createSession(null); + } // Creating a new session cookie based on that session if ((session != null) && (getContext() != null) 1.25 +3 -8 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java Index: ApplicationHttpRequest.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java,v retrieving revision 1.24 retrieving revision 1.25 diff -u -r1.24 -r1.25 --- ApplicationHttpRequest.java 15 Jan 2005 20:31:21 -0000 1.24 +++ ApplicationHttpRequest.java 7 Feb 2005 21:56:32 -0000 1.25 @@ -529,13 +529,8 @@ // Ignore } if (localSession == null && create) { - localSession = context.getManager().createEmptySession(); - localSession.setNew(true); - localSession.setValid(true); - localSession.setCreationTime(System.currentTimeMillis()); - localSession.setMaxInactiveInterval - (context.getManager().getMaxInactiveInterval()); - localSession.setId(other.getId()); + localSession = + context.getManager().createSession(other.getId()); } if (localSession != null) { localSession.access();
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]