antville/helma
antville/helma
1
1
Fork 0
Code Issues 5 Pull requests 13 Projects Releases 5 Activity Actions

Change creation of HopSession cookie value

Browse source 
Only include one of either, IP forwarded by proxy or remote address
This commit is contained in:
Tobi Schäfer 2021-09-05 14:55:42 +02:00
parent 4fc158d6eb
commit 411b9198e4
1 changed files with 7 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/main/java/helma/servlet/AbstractServletClient.java
View file

@ -554,8 +554,13 @@ public abstract class AbstractServletClient extends HttpServlet {
// If protected session cookies are enabled we also force a new session
// if the existing session id doesn't match the client's ip address
StringBuffer buffer = new StringBuffer();
addIPAddress(buffer, request.getRemoteAddr());
addIPAddress(buffer, request.getHeader("X-Forwarded-For"));
String ip = request.getHeader("X-Forwarded-For");
if (ip != null && ip.length() != 0) {
addIPAddress(buffer, ip);
} else {
addIPAddress(buffer, request.getRemoteAddr());
}
// Not sure, if this line can be removed
addIPAddress(buffer, request.getHeader("Client-ip"));
if (reqtrans.getSession() == null || !reqtrans.getSession().startsWith(buffer.toString())) {
createSession(response, buffer.toString(), reqtrans, domain);