/**
+ * Change the session ID of the current session to a new randomly generated
+ * session ID.
+ *
+ * @param session The session to change the session ID for
+ */
+ public void changeSessionId(Session session);
+
+
+ /**
* Get a session from the recycled ones or create a new empty one.
* The PersistentManager manager does not need to create session data
* because it reads it from the Store.
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener;
+import org.apache.catalina.Manager;
import org.apache.catalina.Pipeline;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
/**
+ * Should the session ID, if any, be changed upon a successful
+ * authentication to prevent a session fixation attack?
+ */
+ protected boolean changeSessionIdOnAuthentication = true;
+
+ /**
* The Context to which this Valve is attached.
*/
protected Context context = null;
*/
return;
}
+
}
if (log.isDebugEnabled()) {
request.setUserPrincipal(principal);
Session session = request.getSessionInternal(false);
+
+ if (session != null && changeSessionIdOnAuthentication) {
+ Manager manager = request.getContext().getManager();
+ manager.changeSessionId(session);
+ request.changeSessionId(session.getId());
+ }
+
// Cache the authentication information in our session, if any
if (cache) {
if (session != null) {
/**
+ * Change the ID of the session that this request is associated with. There
+ * are several things that may trigger an ID change. These include mmoving
+ * between nodes in a cluster and session fixation prevention during the
+ * authentication process.
+ *
+ * @param session The session to change the session ID for
+ */
+ public void changeSessionId(String newSessionId) {
+ // This should only ever be called if there was an old session ID but
+ // double check to be sure
+ if (requestedSessionId != null && requestedSessionId.length() > 0) {
+ requestedSessionId = newSessionId;
+ }
+
+ if (context != null && !context.getServletContext()
+ .getEffectiveSessionTrackingModes().contains(
+ SessionTrackingMode.COOKIE))
+ return;
+
+ if (response != null) {
+ Cookie newCookie =
+ ApplicationSessionCookieConfig.createSessionCookie(
+ context.getServletContext().getSessionCookieConfig(),
+ newSessionId,
+ secure,
+ context.getUseHttpOnly(),
+ response.getConnector().getEmptySessionPath(),
+ context.getEncodedPath());
+ response.addCookie(newCookie);
+ }
+ }
+
+
+ /**
* Return the session associated with this Request, creating one
* if necessary and requested.
*
throw new ServletException(
sm.getString("coyoteRequest.authFail", username));
}
- // Assume if we have a non-null LogonConfig then we must have an
+ // Assume if we have a non-null LoginConfig then we must have an
// authenticator
context.getAuthenticator().register(this, getResponse(), principal,
authMethod, username, password);
* new session id for node migration
*/
protected void changeRequestSessionID(Request request, Response response, String sessionId, String newSessionID) {
- request.setRequestedSessionId(newSessionID);
- if(request.isRequestedSessionIdFromCookie())
- setNewSessionCookie(request, response,newSessionID);
+ request.changeSessionId(newSessionID);
+
// set original sessionid at request, to allow application detect the
// change
if (sessionIdAttribute != null && !"".equals(sessionIdAttribute)) {
* @param request current request
* @param response Tomcat Response
* @param sessionId The session id
+ *
+ * @deprecated Use {@link Request#changeSessionId(String)}
*/
protected void setNewSessionCookie(Request request,
Response response, String sessionId) {
}
+ /**
+ * Change the session ID of the current session to a new randomly generated
+ * session ID.
+ *
+ * @param session The session to change the session ID for
+ */
+ public void changeSessionId(Session session) {
+ session.setId(generateSessionId());
+ }
+
+
// ------------------------------------------------------ Protected Methods
<strong>org.apache.catalina.authenticator.BasicAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session fixation
+ attacks. If not set, the default value of <code>true</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="disableProxyCaching" required="false">
<p>Controls the caching of pages that are protected by security
constraints. Setting this to <code>false</code> may help work around
<strong>org.apache.catalina.authenticator.DigestAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session fixation
+ attacks. If not set, the default value of <code>true</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="disableProxyCaching" required="false">
<p>Controls the caching of pages that are protected by security
constraints. Setting this to <code>false</code> may help work around
<strong>org.apache.catalina.authenticator.FormAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session fixation
+ attacks. If not set, the default value of <code>true</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="characterEncoding" required="false">
<p>Character encoding to use to read the username and password parameters
from the request. If not set, the encoding of the request body will be
<strong>org.apache.catalina.authenticator.SSLAuthenticator</strong>.</p>
</attribute>
+ <attribute name="changeSessionIdOnAuthentication" required="false">
+ <p>Controls if the session ID is changed if a session exists at the
+ point where users are authenticated. This is to prevent session fixation
+ attacks. If not set, the default value of <code>true</code> will be
+ used.</p>
+ </attribute>
+
<attribute name="disableProxyCaching" required="false">
<p>Controls the caching of pages that are protected by security
constraints. Setting this to <code>false</code> may help work around
projects / tomcat7.0 / commitdiff