svn commit: r1607592 - in /tomcat/trunk: java/org/apache/catalina/authenticator/SingleSignOn.java webapps/docs/changelog.xml

Thu, 03 Jul 2014 04:38:28 -0700 

Author: markt
Date: Thu Jul  3 11:37:27 2014
New Revision: 1607592

URL: http://svn.apache.org/r1607592
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56666
When clearing the SSO cookie use the same values for domain, path, httpOnly and 
secure as were used to set the SSO cookie.

Modified:
    tomcat/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java?rev=1607592&r1=1607591&r2=1607592&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java Thu 
Jul  3 11:37:27 2014
@@ -313,7 +313,26 @@ public class SingleSignOn extends ValveB
             if (containerLog.isDebugEnabled()) {
                 containerLog.debug(" No cached principal found, erasing SSO 
cookie");
             }
+            // No need to return a valid SSO session ID
+            cookie.setValue("REMOVE");
+            // Age of zero will trigger removal
             cookie.setMaxAge(0);
+            // Domain and path have to match the original cookie to 'replace'
+            // the original cookie
+            cookie.setPath("/");
+            String domain = getCookieDomain();
+            if (domain != null) {
+                cookie.setDomain(domain);
+            }
+            // This is going to trigger a Set-Cookie header. While the value is
+            // not security sensitive, ensure that expectations for secure and
+            // httpOnly are met
+            cookie.setSecure(request.isSecure());
+            if 
(request.getServletContext().getSessionCookieConfig().isHttpOnly() ||
+                    request.getContext().getUseHttpOnly()) {
+                cookie.setHttpOnly(true);
+            }
+
             response.addCookie(cookie);
         }
 

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1607592&r1=1607591&r2=1607592&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Jul  3 11:37:27 2014
@@ -95,6 +95,11 @@
       <fix>
         Add configuration fields for header names in SSLValve. (remm)
       </fix>
+      <fix>
+        <bug>56666</bug>: When clearing the SSO cookie use the same values for
+        domain, path, httpOnly and secure as were used to set the SSO cookie.
+        (markt) 
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to