Author: markt
Date: Fri May 14 19:00:21 2010
New Revision: 944398
URL: http://svn.apache.org/viewvc?rev=944398&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49158
Ensure only one session cookie is returned for a single request.
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=944398&r1=944397&r2=944398&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Fri May 14 19:00:21 2010
@@ -221,21 +221,6 @@ PATCHES PROPOSED TO BACKPORT:
+1: kkolinko, markt, rjung
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49158
- http://svn.apache.org/viewvc?view=revision&revision=935998
- +1: fhanik
- -1: kkolinko: 1) because Response#addSessionCookieInternal(..) skips
- cookies.add(cookie); call
- 2) you need to take care of the useHttpOnly flag
- -1:
- Alternative patch that addresses Konstatin's review comments
- http://people.apache.org/~markt/patches/2010-05-05-bug49158.patch
- +1: markt, kkolinko, rjung
- -1:
- kkolinko: (Trivial: in generateCookieString() you can declare
- httpOnlyParam as "final" and get rid of a local variable.)
-
-
* Configure Tomcat to use HttpOnly for session cookies by default
http://people.apache.org/~kkolinko/patches/2010-04-21_tc6_context_httpOnly.patch
+1: kkolinko
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?rev=944398&r1=944397&r2=944398&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java Fri
May 14 19:00:21 2010
@@ -68,7 +68,6 @@ import org.apache.catalina.core.Applicat
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.util.Enumerator;
import org.apache.catalina.util.ParameterMap;
-import org.apache.catalina.util.RequestUtil;
import org.apache.catalina.util.StringManager;
import org.apache.catalina.util.StringParser;
@@ -2269,9 +2268,10 @@ public class Request
newCookie.setSecure(true);
}
if (context == null) {
- response.addCookieInternal(newCookie, false);
+ response.addSessionCookieInternal(newCookie, false);
} else {
- response.addCookieInternal(newCookie, context.getUseHttpOnly());
+ response.addSessionCookieInternal(newCookie,
+ context.getUseHttpOnly());
}
}
}
@@ -2398,7 +2398,7 @@ public class Request
Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
session.getIdInternal());
configureSessionCookie(cookie);
- response.addCookieInternal(cookie, context.getUseHttpOnly());
+ response.addSessionCookieInternal(cookie,
context.getUseHttpOnly());
}
if (session != null) {
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java?rev=944398&r1=944397&r2=944398&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java Fri
May 14 19:00:21 2010
@@ -30,6 +30,7 @@ import java.security.PrivilegedException
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Enumeration;
+import java.util.Iterator;
import java.util.Locale;
import java.util.TimeZone;
import java.util.Vector;
@@ -222,7 +223,7 @@ public class Response
/**
* The set of Cookies associated with this Response.
*/
- protected ArrayList cookies = new ArrayList();
+ protected ArrayList<Cookie> cookies = new ArrayList<Cookie>();
/**
@@ -864,7 +865,7 @@ public class Response
* a zero-length array if no cookies have been set.
*/
public Cookie[] getCookies() {
- return ((Cookie[]) cookies.toArray(new Cookie[cookies.size()]));
+ return cookies.toArray(new Cookie[cookies.size()]);
}
@@ -968,7 +969,47 @@ public class Response
}
-
+ /**
+ * Special method for adding a session cookie as we should be overriding
+ * any previous
+ * @param cookie
+ */
+ public void addSessionCookieInternal(final Cookie cookie,
+ boolean httpOnly) {
+ if (isCommitted())
+ return;
+
+ String name = cookie.getName();
+ final String headername = "Set-Cookie";
+ final String startsWith = name + "=";
+ final StringBuffer sb = generateCookieString(cookie, httpOnly);
+ boolean set = false;
+ MimeHeaders headers = coyoteResponse.getMimeHeaders();
+ int n = headers.size();
+ for (int i = 0; i < n; i++) {
+ if (headers.getName(i).toString().equals(headername)) {
+ if (headers.getValue(i).toString().startsWith(startsWith)) {
+ headers.setValue(sb.toString());
+ set = true;
+ }
+ }
+ }
+ if (set) {
+ Iterator<Cookie> iter = cookies.iterator();
+ while (iter.hasNext()) {
+ Cookie c = iter.next();
+ if (name.equals(c.getName())) {
+ iter.remove();
+ break;
+ }
+ }
+ } else {
+ addHeader(headername, sb.toString());
+ }
+ cookies.add(cookie);
+
+
+ }
/**
* Add the specified Cookie to those that will be included with
* this Response.
@@ -991,6 +1032,18 @@ public class Response
if (isCommitted())
return;
+ final StringBuffer sb = generateCookieString(cookie, httpOnly);
+ //if we reached here, no exception, cookie is valid
+ // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
+ // RFC2965 is not supported by browsers and the Servlet spec
+ // asks for 2109.
+ addHeader("Set-Cookie", sb.toString());
+
+ cookies.add(cookie);
+ }
+
+ public StringBuffer generateCookieString(final Cookie cookie,
+ final boolean httpOnly) {
final StringBuffer sb = new StringBuffer();
//web application code can receive a IllegalArgumentException
//from the appendCookieValue invokation
@@ -1012,13 +1065,7 @@ public class Response
cookie.getPath(), cookie.getDomain(),
cookie.getComment(),
cookie.getMaxAge(), cookie.getSecure(), httpOnly);
}
- //if we reached here, no exception, cookie is valid
- // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
- // RFC2965 is not supported by browsers and the Servlet spec
- // asks for 2109.
- addHeader("Set-Cookie", sb.toString());
-
- cookies.add(cookie);
+ return sb;
}
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=944398&r1=944397&r2=944398&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Fri May 14 19:00:21 2010
@@ -103,6 +103,10 @@
prevent memory leak. (kfujino)
</fix>
<fix>
+ <bug>49158</bug>: Ensure only one session cookie is returned for a
+ single request. (markt/fhanik)
+ </fix>
+ <fix>
<bug>49245</bug>: Fix session expiration check in cross-context
requests. (markt)
</fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
