Author: markt Date: Wed Jun 9 14:30:30 2010 New Revision: 953025 URL: http://svn.apache.org/viewvc?rev=953025&view=rev Log: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48379 Make session cookie name, domain and path configurable per context
Modified: tomcat/tc6.0.x/trunk/STATUS.txt tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=953025&r1=953024&r2=953025&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Jun 9 14:30:30 2010 @@ -62,13 +62,6 @@ PATCHES PROPOSED TO BACKPORT: message text ("starting"), vs. what actually happened (initialize()) - I won't insist on fixing that inconsistency. -* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48379 - Make session cookie name, domain and path configurable per context. - Updated patch in response to review comments from kkolinko & rjung - http://people.apache.org/~markt/patches/2010-06-07-bug48379.patch - +1: markt, jfclere, kkolinko - -1: - * Configure Tomcat to use HttpOnly for session cookies by default http://people.apache.org/~kkolinko/patches/2010-04-21_tc6_context_httpOnly.patch +1: kkolinko Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java?rev=953025&r1=953024&r2=953025&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/Context.java Wed Jun 9 14:30:30 2010 @@ -181,6 +181,26 @@ public interface Context extends Contain */ public void setCookies(boolean cookies); + + /** + * Gets the name to use for session cookies. Overrides any setting that + * may be specified by the application. + * + * @return The value of the default session cookie name or null if not + * specified + */ + public String getSessionCookieName(); + + + /** + * Sets the name to use for session cookies. Overrides any setting that + * may be specified by the application. + * + * @param sessionCookieName The name to use + */ + public void setSessionCookieName(String sessionCookieName); + + /** * Gets the value of the use HttpOnly cookies for session cookies flag. * @@ -198,12 +218,50 @@ public interface Context extends Contain */ public void setUseHttpOnly(boolean useHttpOnly); + + /** + * Gets the domain to use for session cookies. Overrides any setting that + * may be specified by the application. + * + * @return The value of the default session cookie domain or null if not + * specified + */ + public String getSessionCookieDomain(); + + + /** + * Sets the domain to use for session cookies. Overrides any setting that + * may be specified by the application. + * + * @param sessionCookieDomain The domain to use + */ + public void setSessionCookieDomain(String sessionCookieDomain); + + + /** + * Gets the path to use for session cookies. Overrides any setting that + * may be specified by the application. + * + * @return The value of the default session cookie path or null if not + * specified + */ + public String getSessionCookiePath(); + + + /** + * Sets the path to use for session cookies. Overrides any setting that + * may be specified by the application. + * + * @param sessionCookiePath The path to use + */ + public void setSessionCookiePath(String sessionCookiePath); + + /** * Return the "allow crossing servlet contexts" flag. */ public boolean getCrossContext(); - /** * Return the alternate Deployment Descriptor name. Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java?rev=953025&r1=953024&r2=953025&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/CoyoteAdapter.java Wed Jun 9 14:30:30 2010 @@ -592,9 +592,11 @@ public class CoyoteAdapter implements Ad if (count <= 0) return; + String sessionCookieName = getSessionCookieName(context); + for (int i = 0; i < count; i++) { ServerCookie scookie = serverCookies.getCookie(i); - if (scookie.getName().equals(Globals.SESSION_COOKIE_NAME)) { + if (scookie.getName().equals(sessionCookieName)) { // Override anything requested in the URL if (!request.isRequestedSessionIdFromCookie()) { // Accept only the first session id cookie @@ -868,9 +870,6 @@ public class CoyoteAdapter implements Ad } - // ------------------------------------------------------ Protected Methods - - /** * Copy an array of bytes to a different position. Used during * normalization. @@ -882,4 +881,18 @@ public class CoyoteAdapter implements Ad } + private String getSessionCookieName(Context context) { + + String result = null; + + if (context != null) { + result = context.getSessionCookieName(); + } + + if (result == null) { + result = Globals.SESSION_COOKIE_NAME; + } + + return result; + } } Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?rev=953025&r1=953024&r2=953025&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java Wed Jun 9 14:30:30 2010 @@ -2251,22 +2251,18 @@ public class Request return; if (response != null) { - Cookie newCookie = new Cookie(Globals.SESSION_COOKIE_NAME, - newSessionId); - newCookie.setMaxAge(-1); - String contextPath = null; - if (!response.getConnector().getEmptySessionPath() - && (context != null)) { - contextPath = context.getEncodedPath(); + String scName = null; + if (context != null) { + scName = context.getSessionCookieName(); } - if ((contextPath != null) && (contextPath.length() > 0)) { - newCookie.setPath(contextPath); - } else { - newCookie.setPath("/"); - } - if (isSecure()) { - newCookie.setSecure(true); + if (scName == null) { + scName = Globals.SESSION_COOKIE_NAME; } + + Cookie newCookie = new Cookie(scName, newSessionId); + + configureSessionCookie(newCookie); + if (context == null) { response.addSessionCookieInternal(newCookie, false); } else { @@ -2395,8 +2391,11 @@ public class Request // Creating a new session cookie based on that session if ((session != null) && (getContext() != null) && getContext().getCookies()) { - Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME, - session.getIdInternal()); + String scName = context.getSessionCookieName(); + if (scName == null) { + scName = Globals.SESSION_COOKIE_NAME; + } + Cookie cookie = new Cookie(scName, session.getIdInternal()); configureSessionCookie(cookie); response.addSessionCookieInternal(cookie, context.getUseHttpOnly()); } @@ -2417,15 +2416,27 @@ public class Request */ protected void configureSessionCookie(Cookie cookie) { cookie.setMaxAge(-1); + + Context ctxt = getContext(); + String contextPath = null; - if (!connector.getEmptySessionPath() && (getContext() != null)) { - contextPath = getContext().getEncodedPath(); + if (ctxt != null && !getConnector().getEmptySessionPath()) { + if (ctxt.getSessionCookiePath() != null) { + contextPath = ctxt.getSessionCookiePath(); + } else { + contextPath = ctxt.getEncodedPath(); + } } if ((contextPath != null) && (contextPath.length() > 0)) { cookie.setPath(contextPath); } else { cookie.setPath("/"); } + + if (ctxt != null && ctxt.getSessionCookieDomain() != null) { + cookie.setDomain(ctxt.getSessionCookieDomain()); + } + if (isSecure()) { cookie.setSecure(true); } Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java?rev=953025&r1=953024&r2=953025&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/core/StandardContext.java Wed Jun 9 14:30:30 2010 @@ -703,11 +703,34 @@ public class StandardContext */ private boolean saveConfig = true; + /** * The flag that indicates that session cookies should use HttpOnly */ private boolean useHttpOnly = false; + + /** + * The domain to use for session cookies. <code>null</code> indicates that + * the domain is controlled by the application. + */ + private String sessionCookieDomain; + + + /** + * The path to use for session cookies. <code>null</code> indicates that + * the path is controlled by the application. + */ + private String sessionCookiePath; + + + /** + * The name to use for session cookies. <code>null</code> indicates that + * the name is controlled by the application. + */ + private String sessionCookieName; + + /** * Should Tomcat attempt to terminate threads that have been started by the * web application? Stopping threads is performed via the deprecated (for @@ -1176,8 +1199,79 @@ public class StandardContext } + /** + * Gets the domain to use for session cookies. + * + * @return The value of the default session cookie domain or null if not + * specified + */ + public String getSessionCookieDomain() { + return sessionCookieDomain; + } + + + /** + * Sets the domain to use for session cookies. + * + * @param sessionCookieDomain The domain to use + */ + public void setSessionCookieDomain(String sessionCookieDomain) { + String oldSessionCookieDomain = this.sessionCookieDomain; + this.sessionCookieDomain = sessionCookieDomain; + support.firePropertyChange("sessionCookieDomain", + oldSessionCookieDomain, sessionCookieDomain); + } + + + /** + * Gets the path to use for session cookies. + * + * @return The value of the default session cookie path or null if not + * specified + */ + public String getSessionCookiePath() { + return sessionCookiePath; + } + + + /** + * Sets the path to use for session cookies. + * + * @param sessionCookiePath The path to use + */ + public void setSessionCookiePath(String sessionCookiePath) { + String oldSessionCookiePath = this.sessionCookiePath; + this.sessionCookiePath = sessionCookiePath; + support.firePropertyChange("sessionCookiePath", + oldSessionCookiePath, sessionCookiePath); + } + + /** + * Gets the name to use for session cookies. + * + * @return The value of the default session cookie name or null if not + * specified + */ + public String getSessionCookieName() { + return sessionCookieName; + } + + + /** + * Sets the name to use for session cookies. Overrides any setting that + * may be specified by the application. + * + * @param sessionCookieName The name to use + */ + public void setSessionCookieName(String sessionCookieName) { + String oldSessionCookieName = this.sessionCookieName; + this.sessionCookieName = sessionCookieName; + support.firePropertyChange("sessionCookieName", + oldSessionCookieName, sessionCookieName); + } + /** * Return the "allow crossing servlet contexts" flag. */ Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java?rev=953025&r1=953024&r2=953025&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java Wed Jun 9 14:30:30 2010 @@ -455,25 +455,40 @@ public class JvmRouteBinderValve extends Context context = request.getContext(); if (context.getCookies()) { // set a new session cookie - Cookie newCookie = new Cookie(Globals.SESSION_COOKIE_NAME, - sessionId); + String scName = context.getSessionCookieName(); + if (scName == null) { + scName = Globals.SESSION_COOKIE_NAME; + } + Cookie newCookie = new Cookie(scName, sessionId); + newCookie.setMaxAge(-1); + String contextPath = null; - if (!response.getConnector().getEmptySessionPath() - && (context != null)) { - contextPath = context.getEncodedPath(); + if (!response.getConnector().getEmptySessionPath() && + (context != null)) { + if (context.getSessionCookiePath() != null) { + contextPath = context.getSessionCookiePath(); + } else { + contextPath = context.getEncodedPath(); + } } if ((contextPath != null) && (contextPath.length() > 0)) { newCookie.setPath(contextPath); } else { newCookie.setPath("/"); } + + if (context.getSessionCookieDomain() != null) { + newCookie.setDomain(context.getSessionCookieDomain()); + } + if (request.isSecure()) { newCookie.setSecure(true); } + if (log.isDebugEnabled()) { Object[] args = new Object[] {sessionId, - Globals.SESSION_COOKIE_NAME, + newCookie.getName(), newCookie.getPath(), new Boolean(newCookie.getSecure()), new Boolean(context.getUseHttpOnly())}; Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=953025&r1=953024&r2=953025&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Jun 9 14:30:30 2010 @@ -62,6 +62,10 @@ Improve exception handling on session de-serialization to assist in identifying the root cause of <bug>48007</bug>. (kkolinko) </fix> + <add> + <bug>48379</bug>: Make session cookie name, domain and path configurable + per context. (markt) + </add> <fix> <bug>48589</bug>: Make JNDIRealm easier to extend. Based on a patch by Candid Dauth. (markt/kkolinko) Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml?rev=953025&r1=953024&r2=953025&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/config/context.xml Wed Jun 9 14:30:30 2010 @@ -227,6 +227,27 @@ on demand.</p> </attribute> + <attribute name="sessionCookieDomain" required="false"> + <p>The domain to be used for all session cookies created for this + Context. If not set, no domain will be specified for session cookies. + </p> + </attribute> + + <attribute name="sessionCookieName" required="false"> + <p>The name to be used for all session cookies created for this + Context. If not set, the default of JSESSIONID will be used. Note that + this default will be overridden by the + <strong>org.apache.catalina.SESSION_COOKIE_NAME</strong> system + property.</p> + </attribute> + + <attribute name="sessionCookiePath" required="false"> + <p>The path to be used for all session cookies created for this + Context. If not set, the context path will be used. Note that this will + be overridden by the <strong>emptySessionPath</strong> attribute on the + connector used to access this Context.</p> + </attribute> + <attribute name="wrapperClass" required="false"> <p>Java class name of the <code>org.apache.catalina.Wrapper</code> implementation class that will be used for servlets managed by this --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org