Implement appname.protectedSessionCookie property in apps.properties.
If set to "false", session cookies will not be bound to the client's ip subnet.
This commit is contained in:
hns
parent
21e98e793e
commit
6c44c5fa66
2 changed files with 64 additions and 25 deletions
|
|
@ -282,6 +282,7 @@ public class ApplicationManager implements XmlRpcHandler {
|
||||||
String xmlrpcHandlerName;
|
String xmlrpcHandlerName;
|
||||||
String cookieDomain;
|
String cookieDomain;
|
||||||
String sessionCookieName;
|
String sessionCookieName;
|
||||||
|
String protectedSessionCookie;
|
||||||
String uploadLimit;
|
String uploadLimit;
|
||||||
String debug;
|
String debug;
|
||||||
boolean encode;
|
boolean encode;
|
||||||
|
|
@ -310,6 +311,7 @@ public class ApplicationManager implements XmlRpcHandler {
|
||||||
|
|
||||||
cookieDomain = props.getProperty(name + ".cookieDomain");
|
cookieDomain = props.getProperty(name + ".cookieDomain");
|
||||||
sessionCookieName = props.getProperty(name + ".sessionCookieName");
|
sessionCookieName = props.getProperty(name + ".sessionCookieName");
|
||||||
|
protectedSessionCookie = props.getProperty(name + ".protectedSessionCookie");
|
||||||
uploadLimit = props.getProperty(name + ".uploadLimit");
|
uploadLimit = props.getProperty(name + ".uploadLimit");
|
||||||
debug = props.getProperty(name + ".debug");
|
debug = props.getProperty(name + ".debug");
|
||||||
encode = "true".equalsIgnoreCase(props.getProperty(name +
|
encode = "true".equalsIgnoreCase(props.getProperty(name +
|
||||||
|
|
@ -463,6 +465,10 @@ public class ApplicationManager implements XmlRpcHandler {
|
||||||
holder.setInitParameter("sessionCookieName", sessionCookieName);
|
holder.setInitParameter("sessionCookieName", sessionCookieName);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (protectedSessionCookie != null) {
|
||||||
|
holder.setInitParameter("protectedSessionCookie", protectedSessionCookie);
|
||||||
|
}
|
||||||
|
|
||||||
if (uploadLimit != null) {
|
if (uploadLimit != null) {
|
||||||
holder.setInitParameter("uploadLimit", uploadLimit);
|
holder.setInitParameter("uploadLimit", uploadLimit);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -51,6 +51,10 @@ public abstract class AbstractServletClient extends HttpServlet {
|
||||||
// cookie name for session cookies
|
// cookie name for session cookies
|
||||||
String sessionCookieName = "HopSession";
|
String sessionCookieName = "HopSession";
|
||||||
|
|
||||||
|
// this tells us whether to bind session cookies to client ip subnets
|
||||||
|
// so they can't be easily used from other ip addresses when hijacked
|
||||||
|
boolean protectedSessionCookie = true;
|
||||||
|
|
||||||
// allow caching of responses
|
// allow caching of responses
|
||||||
boolean caching;
|
boolean caching;
|
||||||
|
|
||||||
|
|
@ -69,23 +73,32 @@ public abstract class AbstractServletClient extends HttpServlet {
|
||||||
|
|
||||||
// get max size for file uploads
|
// get max size for file uploads
|
||||||
String upstr = init.getInitParameter("uploadLimit");
|
String upstr = init.getInitParameter("uploadLimit");
|
||||||
|
try {
|
||||||
uploadLimit = (upstr == null) ? 1024 : Integer.parseInt(upstr);
|
uploadLimit = (upstr == null) ? 1024 : Integer.parseInt(upstr);
|
||||||
|
} catch (NumberFormatException x) {
|
||||||
|
System.err.println("Bad format for uploadLimit: " + upstr);
|
||||||
|
uploadLimit = 1024;
|
||||||
|
}
|
||||||
|
|
||||||
// get cookie domain
|
// get cookie domain
|
||||||
cookieDomain = init.getInitParameter("cookieDomain");
|
cookieDomain = init.getInitParameter("cookieDomain");
|
||||||
|
|
||||||
if (cookieDomain != null) {
|
if (cookieDomain != null) {
|
||||||
cookieDomain = cookieDomain.toLowerCase();
|
cookieDomain = cookieDomain.toLowerCase();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// get session cookie name
|
||||||
sessionCookieName = init.getInitParameter("sessionCookieName");
|
sessionCookieName = init.getInitParameter("sessionCookieName");
|
||||||
|
|
||||||
if (sessionCookieName == null) {
|
if (sessionCookieName == null) {
|
||||||
sessionCookieName = "HopSession";
|
sessionCookieName = "HopSession";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// disable binding session cookie to ip address?
|
||||||
|
protectedSessionCookie = !("false".equalsIgnoreCase(init.getInitParameter("protectedSessionCookie")));
|
||||||
|
|
||||||
|
// debug mode for printing out detailed error messages
|
||||||
debug = ("true".equalsIgnoreCase(init.getInitParameter("debug")));
|
debug = ("true".equalsIgnoreCase(init.getInitParameter("debug")));
|
||||||
|
|
||||||
|
// generally disable response caching for clients?
|
||||||
caching = !("false".equalsIgnoreCase(init.getInitParameter("caching")));
|
caching = !("false".equalsIgnoreCase(init.getInitParameter("caching")));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -498,31 +511,51 @@ public abstract class AbstractServletClient extends HttpServlet {
|
||||||
* Check if the session cookie is set and valid for this request.
|
* Check if the session cookie is set and valid for this request.
|
||||||
* If not, create a new one.
|
* If not, create a new one.
|
||||||
*/
|
*/
|
||||||
private void checkSessionCookie(HttpServletRequest request, HttpServletResponse response,
|
private void checkSessionCookie(HttpServletRequest request,
|
||||||
RequestTrans reqtrans, String resCookieDomain) {
|
HttpServletResponse response,
|
||||||
// check if we need to create a session id. also handle the
|
RequestTrans reqtrans,
|
||||||
// case that the session id doesn't match the remote host address
|
String domain) {
|
||||||
StringBuffer b = new StringBuffer();
|
// check if we need to create a session id.
|
||||||
addIPAddress(b, request.getRemoteAddr());
|
if (protectedSessionCookie) {
|
||||||
addIPAddress(b, request.getHeader("X-Forwarded-For"));
|
// If protected session cookies are enabled we also force a new session
|
||||||
addIPAddress(b, request.getHeader("Client-ip"));
|
// if the existing session id doesn't match the client's ip address
|
||||||
if ((reqtrans.session == null) || !reqtrans.session.startsWith(b.toString())) {
|
StringBuffer b = new StringBuffer();
|
||||||
b.append (Long.toString(Math.round(Math.random() * Long.MAX_VALUE) -
|
addIPAddress(b, request.getRemoteAddr());
|
||||||
System.currentTimeMillis(), 36));
|
addIPAddress(b, request.getHeader("X-Forwarded-For"));
|
||||||
|
addIPAddress(b, request.getHeader("Client-ip"));
|
||||||
reqtrans.session = b.toString();
|
if (reqtrans.session == null || !reqtrans.session.startsWith(b.toString())) {
|
||||||
Cookie c = new Cookie(sessionCookieName, reqtrans.session);
|
response.addCookie(createSessionCookie(b, reqtrans, domain));
|
||||||
|
|
||||||
c.setPath("/");
|
|
||||||
|
|
||||||
if (resCookieDomain != null) {
|
|
||||||
c.setDomain(resCookieDomain);
|
|
||||||
}
|
}
|
||||||
|
} else if (reqtrans.session == null) {
|
||||||
response.addCookie(c);
|
response.addCookie(createSessionCookie(new StringBuffer(), reqtrans, domain));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Create a new session cookie.
|
||||||
|
*
|
||||||
|
* @param b
|
||||||
|
* @param reqtrans
|
||||||
|
* @param domain
|
||||||
|
* @return the session cookie
|
||||||
|
*/
|
||||||
|
private Cookie createSessionCookie(StringBuffer b,
|
||||||
|
RequestTrans reqtrans,
|
||||||
|
String domain) {
|
||||||
|
b.append (Long.toString(Math.round(Math.random() * Long.MAX_VALUE) -
|
||||||
|
System.currentTimeMillis(), 36));
|
||||||
|
|
||||||
|
reqtrans.session = b.toString();
|
||||||
|
Cookie cookie = new Cookie(sessionCookieName, reqtrans.session);
|
||||||
|
|
||||||
|
cookie.setPath("/");
|
||||||
|
|
||||||
|
if (domain != null) {
|
||||||
|
cookie.setDomain(domain);
|
||||||
|
}
|
||||||
|
return cookie;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Adds an the 3 most significant bytes of an IP address header to the
|
* Adds an the 3 most significant bytes of an IP address header to the
|
||||||
* session cookie id. Some headers may contain a list of IP addresses
|
* session cookie id. Some headers may contain a list of IP addresses
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue