On 11/12/2019 17:46, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Mark,
>
> On 12/7/19 17:30, ma...@apache.org wrote:
>> This is an automated email from the ASF dual-hosted git
>> repository.
>>
>> markt pushed a commit to branch 7.0.x in repository
>> https://gitbox.apache.org/repos/asf/tomcat.git
>>
>> commit c06674e09e9f3f43dc0e5c022dc8c311a4285cfd Author: Mark Thomas
>> <ma...@apache.org> AuthorDate: Fri Dec 6 12:13:15 2019 +0000
>>
>> Add an atomic method to rotate session ID and return new value.
>>
>> Use it where possible.
>
> Shouldn't there be a "synchronized" keyword somewhere in there?
Not to solve the problem the commit was intended to solve.
Maybe the commit message wasn't worded in the best way to describe what
was going on.
The key thing here is that the new session ID that was created as a
result of this call is the one that is returned to the caller.
Mark
>
> - -chris
>
>> --- java/org/apache/catalina/connector/Request.java | 27
>> +++++++++++++++++++++++
>> java/org/apache/catalina/session/ManagerBase.java | 15
>> +++++++++++-- 2 files changed, 40 insertions(+), 2 deletions(-)
>>
>> diff --git a/java/org/apache/catalina/connector/Request.java
>> b/java/org/apache/catalina/connector/Request.java index
>> a0726ee..ab4e5f0 100644 ---
>> a/java/org/apache/catalina/connector/Request.java +++
>> b/java/org/apache/catalina/connector/Request.java @@ -74,6 +74,7 @@
>> import org.apache.catalina.core.ApplicationPart; import
>> org.apache.catalina.core.ApplicationSessionCookieConfig; import
>> org.apache.catalina.core.AsyncContextImpl; import
>> org.apache.catalina.realm.GenericPrincipal; +import
>> org.apache.catalina.session.ManagerBase; import
>> org.apache.catalina.util.ParameterMap; import
>> org.apache.catalina.util.RequestUtil; import
>> org.apache.catalina.util.StringParser; @@ -2702,6 +2703,32 @@
>> public class Request implements HttpServletRequest { }
>>
>>
>> + public String changeSessionId() { + + Session session =
>> this.getSessionInternal(false); + if (session == null) { +
>> throw new IllegalStateException( +
>> sm.getString("coyoteRequest.changeSessionId")); + } + +
>> Manager manager = this.getContext().getManager(); + + String
>> newSessionId = rotateSessionId(manager, session); +
>> this.changeSessionId(newSessionId); + + return
>> newSessionId; + } + + private String rotateSessionId(Manager
>> manager, Session session) { + if (manager instanceof
>> ManagerBase) { + return ((ManagerBase)
>> manager).rotateSessionId(session); + } else { +
>> // Best we do with the current interface +
>> manager.changeSessionId(session); + return
>> session.getId(); + } + } + /** * @return the session
>> associated with this Request, creating one * if necessary and
>> requested. diff --git
>> a/java/org/apache/catalina/session/ManagerBase.java
>> b/java/org/apache/catalina/session/ManagerBase.java index
>> e4121a6..8022d08 100644 ---
>> a/java/org/apache/catalina/session/ManagerBase.java +++
>> b/java/org/apache/catalina/session/ManagerBase.java @@ -851,9
>> +851,20 @@ public abstract class ManagerBase extends
>> LifecycleMBeanBase implements Manager
>>
>> @Override public void changeSessionId(Session session) { +
>> rotateSessionId(session); + } + + + public String
>> rotateSessionId(Session session) { + String newId =
>> generateSessionId(); + changeSessionId(session, newId); +
>> return newId; + } + + + public void changeSessionId(Session
>> session, String newId) { String oldId = session.getIdInternal(); -
>> session.setId(generateSessionId(), false); - String newId =
>> session.getIdInternal(); + session.setId(newId, false);
>> container.fireContainerEvent(Context.CHANGE_SESSION_ID_EVENT, new
>> String[] {oldId, newId}); }
>>
>>
>> ---------------------------------------------------------------------
>>
>>
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: dev-h...@tomcat.apache.org
>>
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl3xK2kACgkQHPApP6U8
> pFgyKxAAs1tW1HjrlofSFAD1hPFG8iWITjAF7zuFzH3+gTCyuaQT/V6mD6Ad6xwR
> qrwdM1X4pZLkGYmIz1QOQtpzjAdZyuFRjlLLIlIVOdEj+d2vth3O0GgwSfRcU0PZ
> o4ars/2xeLyK3BD7iU79FfqtzrWlHuzXNtoBoBvy7YSJPvHqJh0Jd7faiiNZtUQ9
> H4zDlKQdBCyuehf5LOCV18iL0FhvwFZBzs09P8BXAwdKjuI5SEj9Tc3DYTAMM6yS
> yc7EztgAg/YXDtV6dDfwHZ5T32apMxqOqH1iTZl6cjUcKlKSvTMoH6EeakyF+DDJ
> W0edlmP9rUTj8Gwu13L5I8T/3G4qu6dV3RGV7BxQmha7gJoafte/TL64v20RkXYw
> qidZ0asGu96d4/VQsCSTmBVIpBDMhxUpmm62dPQpO4aD6bWLOCrAChSvouk0uDCO
> 6eBZhSfFWRo/I3SmPrLpy4/bO8L/JlBWEGr2Oen84iNSBX3K1xqWY35/weOPZhaN
> uoU0xJzICU9umbnSwSECUmNFIfdhhfQ80rc4RWFovCAfcvfbH9V7TU+LQk4WGuhU
> oaezHcAarYvfYXRAtl7ypxwDjeOT0oNonDi8WHkaPdkFo1ZNS2aXxm7fh5jxDIbF
> QSLyDjm35hX2+pJkdgNoKCfVnlWOm2QJUQhhc+i3EiNdksuET8U=
> =qerJ
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
