From 9310a15e2a781006a8ec1ec1f0d53a11f9a05b38 Mon Sep 17 00:00:00 2001
From: markt <markt@13f79535-47bb-0310-9956-ffa450edef68>
Date: Wed, 10 Mar 2010 12:54:16 +0000
Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48258
 for TC7 Allow session cookie domain to be over-ridden by context
 configuration in the same way httpOnly may be Based on a patch by Donn Aiken

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@921331 13f79535-47bb-0310-9956-ffa450edef68
---
 java/org/apache/catalina/Context.java              | 20 +++++++++++++
 java/org/apache/catalina/connector/Request.java    |  6 ++--
 .../core/ApplicationSessionCookieConfig.java       | 15 +++++++---
 java/org/apache/catalina/core/StandardContext.java | 35 +++++++++++++++++++++-
 webapps/docs/config/context.xml                    |  7 +++++
 5 files changed, 76 insertions(+), 7 deletions(-)

diff --git a/java/org/apache/catalina/Context.java b/java/org/apache/catalina/Context.java
index 595ed5eb5..621678737 100644
--- a/java/org/apache/catalina/Context.java
+++ b/java/org/apache/catalina/Context.java
@@ -175,6 +175,7 @@ public interface Context extends Container {
      */
     public void setCookies(boolean cookies);
 
+    
     /**
      * Gets the value of the use HttpOnly cookies for session cookies flag.
      * 
@@ -192,6 +193,25 @@ public interface Context extends Container {
      */
     public void setUseHttpOnly(boolean useHttpOnly);
     
+    
+    /**
+     * Gets the domain to use for session cookies. Overrides any setting that
+     * may be specified by the application.
+     * 
+     * @return  The value of the default session cookie domain or null if not
+     *          specified
+     */
+    public String getSessionCookieDomain();
+    
+    
+    /**
+     * Sets the domain to use for session cookies. Overrides any setting that
+     * may be specified by the application.
+     * 
+     * @param sessionCookieDomain   The domain to use
+     */
+    public void setSessionCookieDomain(String sessionCookieDomain);
+    
     /**
      * Return the "allow crossing servlet contexts" flag.
      */
diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
index b47d3b878..dd5c01cf3 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -2279,7 +2279,8 @@ public class Request
                         secure,
                         context.getUseHttpOnly(),
                         response.getConnector().getEmptySessionPath(),
-                        context.getEncodedPath());
+                        context.getEncodedPath(),
+                        context.getSessionCookieDomain());
             response.addCookie(newCookie);
         }
     }
@@ -2560,7 +2561,8 @@ public class Request
                         isSecure(),
                         context.getUseHttpOnly(),
                         connector.getEmptySessionPath(),
-                        context.getEncodedPath());
+                        context.getEncodedPath(),
+                        context.getSessionCookieDomain());
             
             response.addCookieInternal(cookie);
         }
diff --git a/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java b/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java
index 09bc54f3f..faa22a349 100644
--- a/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java
+++ b/java/org/apache/catalina/core/ApplicationSessionCookieConfig.java
@@ -112,10 +112,12 @@ public class ApplicationSessionCookieConfig implements SessionCookieConfig {
      * @param httpOnly    Should session cookie be configured as httpOnly
      * @param emptyPath   Should session cookie be configured with empty path
      * @param contextPath Context path to use if required       
+     * @param domain      Domain to use for the session cookie. If null, use the
+     *                    domain specified by the scc parameter.
      */
     public static Cookie createSessionCookie(SessionCookieConfig scc,
             String sessionId, boolean secure, boolean httpOnly,
-            boolean emptyPath, String contextPath) {
+            boolean emptyPath, String contextPath, String domain) {
 
        // Session config can over-ride default name  
        String cookieName = scc.getName();
@@ -127,9 +129,14 @@ public class ApplicationSessionCookieConfig implements SessionCookieConfig {
        // Just apply the defaults.
        cookie.setMaxAge(scc.getMaxAge());
        cookie.setComment(scc.getComment());
-       // Avoid possible NPE
-       if (scc.getDomain() != null) {
-           cookie.setDomain(scc.getDomain());
+       
+       if (domain == null) {
+           // Avoid possible NPE
+           if (scc.getDomain() != null) {
+               cookie.setDomain(scc.getDomain());
+           }
+       } else {
+           cookie.setDomain(domain);
        }
 
        // Always set secure if the request is secure
diff --git a/java/org/apache/catalina/core/StandardContext.java b/java/org/apache/catalina/core/StandardContext.java
index f5fa07f10..bd6d55433 100644
--- a/java/org/apache/catalina/core/StandardContext.java
+++ b/java/org/apache/catalina/core/StandardContext.java
@@ -716,11 +716,20 @@ public class StandardContext
      */
     private boolean saveConfig = true;
 
+    
     /**
      * The flag that indicates that session cookies should use HttpOnly
      */
     private boolean useHttpOnly = true;
 
+    
+    /**
+     * The domain to use for session cookies. <code>null</code> indicates that
+     * the domain is controlled by the application.
+     */
+    private String sessionCookieDomain;
+    
+    
     /**
      * The Jar scanner to use to search for Jars that might contain
      * configuration information such as TLDs or web-fragment.xml files. 
@@ -1272,7 +1281,31 @@ public class StandardContext
     }
     
     
-
+    /**
+     * Gets the domain to use for session cookies. Overrides any setting that
+     * may be specified by the application.
+     * 
+     * @return  The value of the default session cookie domain or null if not
+     *          specified
+     */
+    public String getSessionCookieDomain() {
+        return sessionCookieDomain;
+    }
+    
+    
+    /**
+     * Sets the domain to use for session cookies. Overrides any setting that
+     * may be specified by the application.
+     * 
+     * @param sessionCookieDomain   The domain to use
+     */
+    public void setSessionCookieDomain(String sessionCookieDomain) {
+        String oldSessionCookieDomain = this.sessionCookieDomain;
+        this.sessionCookieDomain = sessionCookieDomain;
+        support.firePropertyChange("sessionCookieDomain",
+                oldSessionCookieDomain, sessionCookieDomain);
+    }
+    
 
     /**
      * Return the "allow crossing servlet contexts" flag.
diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml
index a150615b9..99369c25b 100644
--- a/webapps/docs/config/context.xml
+++ b/webapps/docs/config/context.xml
@@ -237,6 +237,13 @@
         on demand.</p>
       </attribute>
 
+      <attribute name="sessionCookieDomain" required="false">
+        <p>The domain to be used for all session cookies created for this
+        context. If set, this overrides any domain set by the web application.
+        If not set, the value specified by the web application, if any, will be
+        used.</p>
+      </attribute>
+      
       <attribute name="wrapperClass" required="false">
         <p>Java class name of the <code>org.apache.catalina.Wrapper</code>
         implementation class that will be used for servlets managed by this
-- 
2.11.0