* @param sessionCookieDomain The domain to use
*/
public void setSessionCookieDomain(String sessionCookieDomain);
+
+
+ /**
+ * Gets the path to use for session cookies. Overrides any setting that
+ * may be specified by the application.
+ *
+ * @return The value of the default session cookie path or null if not
+ * specified
+ */
+ public String getSessionCookiePath();
+
+
+ /**
+ * Sets the path to use for session cookies. Overrides any setting that
+ * may be specified by the application.
+ *
+ * @param sessionCookiePath The path to use
+ */
+ public void setSessionCookiePath(String sessionCookiePath);
+
/**
* Return the "allow crossing servlet contexts" flag.
*/
public boolean getCrossContext();
-
/**
* Return the alternate Deployment Descriptor name.
/**
- * Use "/" as path for session cookies ?
- */
- protected boolean emptySessionPath = false;
-
-
- /**
* The "enable DNS lookups" flag for this Connector.
*/
protected boolean enableLookups = false;
/**
- * Return the "empty session path" flag.
- */
- public boolean getEmptySessionPath() {
-
- return (this.emptySessionPath);
-
- }
-
-
- /**
- * Set the "empty session path" flag.
- *
- * @param emptySessionPath The new "empty session path" flag value
- */
- public void setEmptySessionPath(boolean emptySessionPath) {
-
- this.emptySessionPath = emptySessionPath;
- setProperty("emptySessionPath", String.valueOf(emptySessionPath));
-
- }
-
-
- /**
* Return the "enable DNS lookups" flag.
*/
public boolean getEnableLookups() {
if (response != null) {
Cookie newCookie =
- ApplicationSessionCookieConfig.createSessionCookie(
- context.getServletContext().getSessionCookieConfig(),
- newSessionId,
- secure,
- context.getUseHttpOnly(),
- response.getConnector().getEmptySessionPath(),
- context.getEncodedPath(),
- context.getSessionCookieDomain());
+ ApplicationSessionCookieConfig.createSessionCookie(context,
+ newSessionId, secure);
response.addCookie(newCookie);
}
}
// Do not reuse the session id if it is from a URL, to prevent possible
// phishing attacks
// Use the SSL session ID if one is present.
- if ((connector.getEmptySessionPath()
+ if (("/".equals(context.getSessionCookiePath())
&& isRequestedSessionIdFromCookie()) || requestedSessionSSL ) {
session = manager.createSession(getRequestedSessionId());
} else {
SessionTrackingMode.COOKIE)) {
Cookie cookie =
ApplicationSessionCookieConfig.createSessionCookie(
- context.getServletContext().getSessionCookieConfig(),
- session.getIdInternal(),
- isSecure(),
- context.getUseHttpOnly(),
- connector.getEmptySessionPath(),
- context.getEncodedPath(),
- context.getSessionCookieDomain());
+ context, session.getIdInternal(), isSecure());
response.addCookieInternal(cookie);
}
import javax.servlet.SessionCookieConfig;
import javax.servlet.http.Cookie;
+import org.apache.catalina.Context;
import org.apache.catalina.Globals;
public class ApplicationSessionCookieConfig implements SessionCookieConfig {
/**
* Creates a new session cookie for the given session ID
*
- * @param scc The default session cookie configuration
+ * @param conetxt The Context for the web application
* @param sessionId The ID of the session for which the cookie will be
* created
* @param secure Should session cookie be configured as secure
- * @param httpOnly Should session cookie be configured as httpOnly
- * @param emptyPath Should session cookie be configured with empty path
- * @param contextPath Context path to use if required
- * @param domain Domain to use for the session cookie. If null, use the
- * domain specified by the scc parameter.
*/
- public static Cookie createSessionCookie(SessionCookieConfig scc,
- String sessionId, boolean secure, boolean httpOnly,
- boolean emptyPath, String contextPath, String domain) {
-
- // Session config can over-ride default name
- String cookieName = scc.getName();
- if (cookieName == null) {
- cookieName = Globals.SESSION_COOKIE_NAME;
- }
- Cookie cookie = new Cookie(cookieName, sessionId);
+ public static Cookie createSessionCookie(Context context,
+ String sessionId, boolean secure) {
+
+ SessionCookieConfig scc =
+ context.getServletContext().getSessionCookieConfig();
+
+ // NOTE: The priority order for session cookie configuration is:
+ // 1. Context level configuration
+ // 2. Values from SessionCookieConfig
+ // 3. Defaults
+
+ String cookieName = scc.getName();
+ if (cookieName == null) {
+ cookieName = Globals.SESSION_COOKIE_NAME;
+ }
+ Cookie cookie = new Cookie(cookieName, sessionId);
- // Just apply the defaults.
- cookie.setMaxAge(scc.getMaxAge());
- cookie.setComment(scc.getComment());
+ // Just apply the defaults.
+ cookie.setMaxAge(scc.getMaxAge());
+ cookie.setComment(scc.getComment());
- if (domain == null) {
- // Avoid possible NPE
- if (scc.getDomain() != null) {
- cookie.setDomain(scc.getDomain());
- }
- } else {
- cookie.setDomain(domain);
- }
-
- // Always set secure if the request is secure
- if (scc.isSecure() || secure) {
- cookie.setSecure(true);
- }
-
- // Always set httpOnly if the context is configured for that
- if (scc.isHttpOnly() || httpOnly) {
- cookie.setHttpOnly(true);
- }
+ if (context.getSessionCookieDomain() == null) {
+ // Avoid possible NPE
+ if (scc.getDomain() != null) {
+ cookie.setDomain(scc.getDomain());
+ }
+ } else {
+ cookie.setDomain(context.getSessionCookieDomain());
+ }
+
+ // Always set secure if the request is secure
+ if (scc.isSecure() || secure) {
+ cookie.setSecure(true);
+ }
+
+ // Always set httpOnly if the context is configured for that
+ if (scc.isHttpOnly() || context.getUseHttpOnly()) {
+ cookie.setHttpOnly(true);
+ }
- // Don't set the path if the connector is configured to over-ride
- if (!emptyPath && scc.getPath() != null) {
- cookie.setPath(scc.getPath());
- } else {
- if (!emptyPath && contextPath != null && (contextPath.length() > 0)) {
- cookie.setPath(contextPath);
- } else {
- cookie.setPath("/");
- }
- }
- return cookie;
- }
-
-
+ String contextPath = context.getSessionCookiePath();
+ if (contextPath == null || contextPath.length() == 0) {
+ contextPath = scc.getPath();
+ }
+ if (contextPath == null || contextPath.length() == 0) {
+ contextPath = context.getEncodedPath();
+ }
+ cookie.setPath(contextPath);
+
+ return cookie;
+ }
}
/**
+ * The path to use for session cookies. <code>null</code> indicates that
+ * the path is controlled by the application.
+ */
+ private String sessionCookiePath;
+
+
+ /**
* The Jar scanner to use to search for Jars that might contain
* configuration information such as TLDs or web-fragment.xml files.
*/
/**
+ * Gets the path to use for session cookies. Overrides any setting that
+ * may be specified by the application.
+ *
+ * @return The value of the default session cookie path or null if not
+ * specified
+ */
+ public String getSessionCookiePath() {
+ return sessionCookiePath;
+ }
+
+
+ /**
+ * Sets the path to use for session cookies. Overrides any setting that
+ * may be specified by the application.
+ *
+ * @param sessionCookiePath The path to use
+ */
+ public void setSessionCookiePath(String sessionCookiePath) {
+ String oldSessionCookiePath = this.sessionCookiePath;
+ this.sessionCookiePath = sessionCookiePath;
+ support.firePropertyChange("sessionCookiePath",
+ oldSessionCookiePath, sessionCookiePath);
+ }
+
+
+ /**
* Return the "allow crossing servlet contexts" flag.
*/
public boolean getCrossContext() {
HTTP method. If not specified, this attribute is set to false.</p>
</attribute>
- <attribute name="emptySessionPath" required="false">
- <p>If set to <code>true</code>, all paths for session cookies will be set
- to <code>/</code>. This can be useful for portlet specification
- implementations. If not specified, this attribute is set to
- <code>false</code>.</p>
- </attribute>
-
<attribute name="enableLookups" required="false">
<p>Set to <code>true</code> if you want calls to
<code>request.getRemoteHost()</code> to perform DNS lookups in
used.</p>
</attribute>
+ <attribute name="sessionCookiePath" required="false">
+ <p>The path to be used for all session cookies created for this
+ context. If set, this overrides any path set by the web application.
+ If not set, the value specified by the web application will be used, or
+ the context path used if the web application does not explicitly set
+ one. To configure all web application to use an empty path (this can be
+ useful for portlet specification implementations) set this attribute to
+ <code>/</code> in the global <code>CATALINA_BASE/conf/context.xml</code>
+ file.</p>
+ </attribute>
+
<attribute name="wrapperClass" required="false">
<p>Java class name of the <code>org.apache.catalina.Wrapper</code>
implementation class that will be used for servlets managed by this
HTTP method. If not specified, this attribute is set to false.</p>
</attribute>
- <attribute name="emptySessionPath" required="false">
- <p>If set to <code>true</code>, all paths for session cookies will be set
- to <code>/</code>. This can be useful for portlet specification
- implementations. If not specified, this attribute is set to
- <code>false</code>.</p>
- </attribute>
-
<attribute name="enableLookups" required="false">
<p>Set to <code>true</code> if you want calls to
<code>request.getRemoteHost()</code> to perform DNS lookups in
projects / tomcat7.0 / commitdiff