tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r944398 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/catalina/connector/Request.java java/org/apache/catalina/connector/Response.java webapps/docs/changelog.xml
Date Fri, 14 May 2010 19:00:21 GMT
Author: markt
Date: Fri May 14 19:00:21 2010
New Revision: 944398

URL: http://svn.apache.org/viewvc?rev=944398&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49158
Ensure only one session cookie is returned for a single request.

Modified:
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=944398&r1=944397&r2=944398&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Fri May 14 19:00:21 2010
@@ -221,21 +221,6 @@ PATCHES PROPOSED TO BACKPORT:
   +1: kkolinko, markt, rjung
   -1:
 
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49158
-  http://svn.apache.org/viewvc?view=revision&revision=935998
-  +1: fhanik
-  -1: kkolinko: 1) because Response#addSessionCookieInternal(..) skips
-        cookies.add(cookie); call
-        2) you need to take care of the useHttpOnly flag
-  -1: 
-  Alternative patch that addresses Konstatin's review comments
-  http://people.apache.org/~markt/patches/2010-05-05-bug49158.patch
-  +1: markt, kkolinko, rjung
-  -1: 
-   kkolinko: (Trivial: in generateCookieString() you can declare
-     httpOnlyParam as "final" and get rid of a local variable.)
-
-
 * Configure Tomcat to use HttpOnly for session cookies by default
   http://people.apache.org/~kkolinko/patches/2010-04-21_tc6_context_httpOnly.patch
   +1: kkolinko

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java?rev=944398&r1=944397&r2=944398&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Request.java Fri May 14 19:00:21
2010
@@ -68,7 +68,6 @@ import org.apache.catalina.core.Applicat
 import org.apache.catalina.realm.GenericPrincipal;
 import org.apache.catalina.util.Enumerator;
 import org.apache.catalina.util.ParameterMap;
-import org.apache.catalina.util.RequestUtil;
 import org.apache.catalina.util.StringManager;
 import org.apache.catalina.util.StringParser;
 
@@ -2269,9 +2268,10 @@ public class Request
                 newCookie.setSecure(true);
             }
             if (context == null) {
-            	response.addCookieInternal(newCookie, false);
+            	response.addSessionCookieInternal(newCookie, false);
             } else {
-            	response.addCookieInternal(newCookie, context.getUseHttpOnly());
+            	response.addSessionCookieInternal(newCookie,
+            	        context.getUseHttpOnly());
             }
         }
     }
@@ -2398,7 +2398,7 @@ public class Request
             Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME,
                                        session.getIdInternal());
             configureSessionCookie(cookie);
-            response.addCookieInternal(cookie, context.getUseHttpOnly());
+            response.addSessionCookieInternal(cookie, context.getUseHttpOnly());
         }
 
         if (session != null) {

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java?rev=944398&r1=944397&r2=944398&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/connector/Response.java Fri May 14 19:00:21
2010
@@ -30,6 +30,7 @@ import java.security.PrivilegedException
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Enumeration;
+import java.util.Iterator;
 import java.util.Locale;
 import java.util.TimeZone;
 import java.util.Vector;
@@ -222,7 +223,7 @@ public class Response
     /**
      * The set of Cookies associated with this Response.
      */
-    protected ArrayList cookies = new ArrayList();
+    protected ArrayList<Cookie> cookies = new ArrayList<Cookie>();
 
 
     /**
@@ -864,7 +865,7 @@ public class Response
      * a zero-length array if no cookies have been set.
      */
     public Cookie[] getCookies() {
-        return ((Cookie[]) cookies.toArray(new Cookie[cookies.size()]));
+        return cookies.toArray(new Cookie[cookies.size()]);
     }
 
 
@@ -968,7 +969,47 @@ public class Response
 
     }
 
-
+    /**
+     * Special method for adding a session cookie as we should be overriding 
+     * any previous 
+     * @param cookie
+     */
+    public void addSessionCookieInternal(final Cookie cookie,
+            boolean httpOnly) {
+        if (isCommitted())
+            return;
+        
+        String name = cookie.getName();
+        final String headername = "Set-Cookie";
+        final String startsWith = name + "=";
+        final StringBuffer sb = generateCookieString(cookie, httpOnly);
+        boolean set = false;
+        MimeHeaders headers = coyoteResponse.getMimeHeaders();
+        int n = headers.size();
+        for (int i = 0; i < n; i++) {
+            if (headers.getName(i).toString().equals(headername)) {
+                if (headers.getValue(i).toString().startsWith(startsWith)) {
+                    headers.setValue(sb.toString());
+                    set = true;
+                }
+            }
+        }
+        if (set) {
+            Iterator<Cookie> iter = cookies.iterator();
+            while (iter.hasNext()) {
+                Cookie c = iter.next();
+                if (name.equals(c.getName())) {
+                    iter.remove();
+                    break;
+                }
+            }
+        } else {
+            addHeader(headername, sb.toString());
+        }
+        cookies.add(cookie);
+        
+        
+    }
     /**
      * Add the specified Cookie to those that will be included with
      * this Response.
@@ -991,6 +1032,18 @@ public class Response
         if (isCommitted())
             return;
 
+        final StringBuffer sb = generateCookieString(cookie, httpOnly);
+        //if we reached here, no exception, cookie is valid
+        // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
+        // RFC2965 is not supported by browsers and the Servlet spec
+        // asks for 2109.
+        addHeader("Set-Cookie", sb.toString());
+
+        cookies.add(cookie);
+    }
+
+    public StringBuffer generateCookieString(final Cookie cookie, 
+            final boolean httpOnly) {
         final StringBuffer sb = new StringBuffer();
         //web application code can receive a IllegalArgumentException 
         //from the appendCookieValue invokation
@@ -1012,13 +1065,7 @@ public class Response
                      cookie.getPath(), cookie.getDomain(), cookie.getComment(), 
                      cookie.getMaxAge(), cookie.getSecure(), httpOnly);
         }
-        //if we reached here, no exception, cookie is valid
-        // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
-        // RFC2965 is not supported by browsers and the Servlet spec
-        // asks for 2109.
-        addHeader("Set-Cookie", sb.toString());
-
-        cookies.add(cookie);
+        return sb;
     }
 
 

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=944398&r1=944397&r2=944398&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Fri May 14 19:00:21 2010
@@ -103,6 +103,10 @@
         prevent memory leak. (kfujino)
       </fix>
       <fix>
+        <bug>49158</bug>: Ensure only one session cookie is returned for a
+        single request. (markt/fhanik)
+      </fix>
+      <fix>
         <bug>49245</bug>: Fix session expiration check in cross-context
         requests. (markt)
       </fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message