tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GOMEZ Henri <hgo...@slib.fr>
Subject RE: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/module s/session SessionId.java
Date Mon, 05 Nov 2001 10:46:04 GMT
Thanks Bojan :)

-
Henri Gomez                 ___[_]____
EMAIL : hgomez@slib.fr        (. .)                     
PGP KEY : 697ECEDD    ...oOOo..(_)..oOOo...
PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 



>-----Original Message-----
>From: bojan@apache.org [mailto:bojan@apache.org]
>Sent: Monday, November 05, 2001 10:14 AM
>To: jakarta-tomcat-cvs@apache.org
>Subject: cvs commit:
>jakarta-tomcat/src/share/org/apache/tomcat/modules/session
>SessionId.java
>
>
>bojan       01/11/05 01:14:16
>
>  Modified:    src/share/org/apache/tomcat/modules/session 
>SessionId.java
>  Log:
>  Make SSL Session ID check optional
>  
>  Revision  Changes    Path
>  1.16      +7 -1      
>jakarta-tomcat/src/share/org/apache/tomcat/modules/session/Sess
>ionId.java
>  
>  Index: SessionId.java
>  ===================================================================
>  RCS file: 
>/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/se
>ssion/SessionId.java,v
>  retrieving revision 1.15
>  retrieving revision 1.16
>  diff -u -r1.15 -r1.16
>  --- SessionId.java	2001/11/05 06:34:09	1.15
>  +++ SessionId.java	2001/11/05 09:14:16	1.16
>  @@ -95,6 +95,7 @@
>       static final char SESSIONID_ROUTE_SEP = '.';
>       boolean noCookies=false;
>       boolean cookiesFirst=true;
>  +    boolean checkSSLSessionId=false;
>       
>       public SessionId() {
>       }
>  @@ -107,6 +108,10 @@
>           this.noCookies = noCookies;
>       }
>   
>  +    public void setCheckSSLSessionId(boolean checkSSLSessionId) {
>  +        this.checkSSLSessionId = checkSSLSessionId;
>  +    }
>  +
>       
>       /** Extract the session id from the request.
>        * SessionInterceptor will have to be called _before_ mapper,
>  @@ -240,7 +245,8 @@
>              somebody is trying to steal Tomcat sessions over SSL.
>              We can't verify that if SSL is not used. */
>   
>  -        if(sess != null && request.isSecure() ){ // Request 
>is over SSL
>  +        // Do this only if request is over SSL
>  +        if(checkSSLSessionId && sess != null && 
>request.isSecure() ){
>             // SSL session ID from session and request - they 
>have to be equal!
>             String 
>ids=(String)sess.getAttribute("javax.servlet.request.ssl_session"),
>                    
>idr=(String)request.getAttribute("javax.servlet.request.ssl_session");
>  
>  
>  
>
>--
>To unsubscribe, e-mail:   
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message