From 411b9198e44745850f16b35f197d33c87976884d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobi=20Sch=C3=A4fer?= Date: Sun, 5 Sep 2021 14:55:42 +0200 Subject: [PATCH] Change creation of HopSession cookie value Only include one of either, IP forwarded by proxy or remote address --- src/main/java/helma/servlet/AbstractServletClient.java | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/main/java/helma/servlet/AbstractServletClient.java b/src/main/java/helma/servlet/AbstractServletClient.java index 9310a642..77284078 100644 --- a/src/main/java/helma/servlet/AbstractServletClient.java +++ b/src/main/java/helma/servlet/AbstractServletClient.java @@ -554,8 +554,13 @@ public abstract class AbstractServletClient extends HttpServlet { // If protected session cookies are enabled we also force a new session // if the existing session id doesn't match the client's ip address StringBuffer buffer = new StringBuffer(); - addIPAddress(buffer, request.getRemoteAddr()); - addIPAddress(buffer, request.getHeader("X-Forwarded-For")); + String ip = request.getHeader("X-Forwarded-For"); + if (ip != null && ip.length() != 0) { + addIPAddress(buffer, ip); + } else { + addIPAddress(buffer, request.getRemoteAddr()); + } + // Not sure, if this line can be removed addIPAddress(buffer, request.getHeader("Client-ip")); if (reqtrans.getSession() == null || !reqtrans.getSession().startsWith(buffer.toString())) { createSession(response, buffer.toString(), reqtrans, domain);