[Engine-patches] Change in ovirt-engine[master]: userportal, webadmin: prevent session fixation

Fri, 04 Apr 2014 10:56:02 -0700 

Vojtech Szocs has posted comments on this change.

Change subject: userportal, webadmin: prevent session fixation
......................................................................


Patch Set 1: Code-Review+2

(2 comments)

http://gerrit.ovirt.org/#/c/25959/1/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/GenericApiGWTServiceImpl.java
File 
frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/GenericApiGWTServiceImpl.java:

Line 174:         // Prevent session fixation.
Line 175:         getSession().invalidate();
Line 176:         // Calling getSession again after invalidating it should 
create a new session.
Line 177:         HttpSession newSession = getSession();
Line 178:         assert !newSession.equals(originalSession) : "new session the 
same as old session"; //$NON-NLS-1$
In this case, assert statement makes sense to me, because "new session being 
same as old session" is a serious problem that should be handled.
Line 179: 
Line 180:         params.setSessionId(getSession().getId());
Line 181:         params.setActionType(loginType);
Line 182:         VdcReturnValueBase returnValue = getBackend().login(params);


Line 175:         getSession().invalidate();
Line 176:         // Calling getSession again after invalidating it should 
create a new session.
Line 177:         HttpSession newSession = getSession();
Line 178:         assert !newSession.equals(originalSession) : "new session the 
same as old session"; //$NON-NLS-1$
Line 179: 
> Note this doesn't copy any values from the old session, which is something 
I think that attributes of old session shouldn't be carried over to new session 
in general.

If we want attributes to span multiple sessions, we can use a different 
persistence mechanism (other than HttpSession.get/setAttribute).
Line 180:         params.setSessionId(getSession().getId());
Line 181:         params.setActionType(loginType);
Line 182:         VdcReturnValueBase returnValue = getBackend().login(params);
Line 183:         return returnValue;


-- 
To view, visit http://gerrit.ovirt.org/25959
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3df427683c924f10cb59f4af1dd067fcfd21a8f2
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alexander Wels <aw...@redhat.com>
Gerrit-Reviewer: Alexander Wels <aw...@redhat.com>
Gerrit-Reviewer: Einav Cohen <eco...@redhat.com>
Gerrit-Reviewer: Vojtech Szocs <vsz...@redhat.com>
Gerrit-Reviewer: automat...@ovirt.org
Gerrit-HasComments: Yes
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to