Author: remy.maucherat(a)jboss.com Date: 2007-10-11 11:29:20 -0400 (Thu, 11 Oct 2007) New Revision: 306 Modified: trunk/java/org/apache/catalina/connector/Connector.java trunk/java/org/apache/catalina/connector/Request.java trunk/webapps/docs/changelog.xml trunk/webapps/docs/config/ajp.xml trunk/webapps/docs/config/http.xml Log: - Standardize on the emptySessionPath=true attribute. - Add a flag to check the session id existence in another webapp of the host. This has a cost, but only occurs in some cases. Modified: trunk/java/org/apache/catalina/connector/Connector.java =================================================================== --- trunk/java/org/apache/catalina/connector/Connector.java 2007-10-11 03:34:40 UTC (rev 305) +++ trunk/java/org/apache/catalina/connector/Connector.java 2007-10-11 15:29:20 UTC (rev 306) @@ -111,12 +111,6 @@ /** - * Use "/" as path for session cookies ? - */ - protected boolean emptySessionPath = false; - - - /** * The "enable DNS lookups" flag for this Connector. */ protected boolean enableLookups = false; @@ -463,29 +457,6 @@ /** - * Return the "empty session path" flag. - */ - public boolean getEmptySessionPath() { - - return (this.emptySessionPath); - - } - - - /** - * Set the "empty session path" flag. - * - * @param emptySessionPath The new "empty session path" flag value - */ - public void setEmptySessionPath(boolean emptySessionPath) { - - this.emptySessionPath = emptySessionPath; - setPropertyInternal("emptySessionPath", String.valueOf(emptySessionPath)); - - } - - - /** * Return the "enable DNS lookups" flag. */ public boolean getEnableLookups() { Modified: trunk/java/org/apache/catalina/connector/Request.java =================================================================== --- trunk/java/org/apache/catalina/connector/Request.java 2007-10-11 03:34:40 UTC (rev 305) +++ trunk/java/org/apache/catalina/connector/Request.java 2007-10-11 15:29:20 UTC (rev 306) @@ -56,6 +56,7 @@ import org.apache.coyote.ActionCode; +import org.apache.catalina.Container; import org.apache.catalina.Context; import org.apache.catalina.Globals; import org.apache.catalina.Host; @@ -84,6 +85,10 @@ implements HttpServletRequest { + protected static final boolean SESSION_ID_CHECK = + Boolean.valueOf(System.getProperty("org.apache.catalina.connector.Request.SESSION_ID_CHECK", "false")).booleanValue(); + + // ----------------------------------------------------------- Constructors @@ -2320,21 +2325,40 @@ (sm.getString("coyoteRequest.sessionCreateCommitted")); } - // Attempt to reuse session id if one was submitted in a cookie - // Do not reuse the session id if it is from a URL, to prevent possible - // phishing attacks - if (connector.getEmptySessionPath() - && isRequestedSessionIdFromCookie()) { - session = manager.createSession(getRequestedSessionId()); - } else { - session = manager.createSession(null); + // Verify that the submitted session id exists in one of the host's web applications + String sessionId = requestedSessionId; + if (sessionId != null) { + if (SESSION_ID_CHECK) { + boolean found = false; + try { + if (!found) { + Container children[] = getHost().findChildren(); + for (int i = 0; (i < children.length) && !found; i++) { + if ((children[i].getManager() != null) + && (children[i].getManager().findSession(sessionId) != null)) { + found = true; + } + } + } + } catch (IOException e) { + // Ignore: one manager is broken, and it will show up elsewhere again + } + if (!found) { + sessionId = null; + } + } else if (!isRequestedSessionIdFromCookie()) { + sessionId = null; + } } + session = manager.createSession(sessionId); // Creating a new session cookie based on that session - if ((session != null) && (getContext() != null) - && getContext().getCookies()) { + // If there was no cookie with the current session id, add a cookie to the response + if ( (session != null) && (getContext() != null) + && getContext().getCookies() + && !(isRequestedSessionIdFromCookie() && (session.getIdInternal().equals(getRequestedSessionId()))) ) { Cookie cookie = new Cookie(Globals.SESSION_COOKIE_NAME, - session.getIdInternal()); + session.getIdInternal()); configureSessionCookie(cookie); response.addCookieInternal(cookie); } @@ -2355,15 +2379,7 @@ */ protected void configureSessionCookie(Cookie cookie) { cookie.setMaxAge(-1); - String contextPath = null; - if (!connector.getEmptySessionPath() && (getContext() != null)) { - contextPath = getContext().getEncodedPath(); - } - if ((contextPath != null) && (contextPath.length() > 0)) { - cookie.setPath(contextPath); - } else { - cookie.setPath("/"); - } + cookie.setPath("/"); if (isSecure()) { cookie.setSecure(true); } Modified: trunk/webapps/docs/changelog.xml =================================================================== --- trunk/webapps/docs/changelog.xml 2007-10-11 03:34:40 UTC (rev 305) +++ trunk/webapps/docs/changelog.xml 2007-10-11 15:29:20 UTC (rev 306) @@ -50,6 +50,12 @@ <fix> Use the system property for the session cookie name. (jfclere) </fix> + <fix> + Move waiting time for requests to complete to the connector pause. (remm) + </fix> + <fix> + Update session cookie handling (path always set to /) and id generation (check host's webapps for a matching id). (remm) + </fix> </changelog> </subsection> <subsection name="Coyote"> @@ -58,7 +64,8 @@ Remove HTTP NIO connector. (remm) </update> <update> - Remove legacy org.apache.jk AJP connector and utility components. (remm) + Remove legacy org.apache.jk AJP connector and utility components, replaced + by the org.apache.coyote.ajp connector. (remm) </update> </changelog> </subsection> @@ -116,8 +123,12 @@ </update> <fix> o.a.juli.ClassLoaderLogManager handle more then one system property replacement at file logging.properties. (pero) - </fix> + </fix> <fix> + <bug>43338</bug>: Support '*' servlet-name mapping at filter-mapping. + Patch provided by Keiichi Fujino. (pero) + </fix> + <fix> <bug>43487</bug>: Fix request processing stats. (fhanik) </fix> </changelog> @@ -131,6 +142,9 @@ <fix> Fixes to B2C conversion. (billbarker) </fix> + <update> + Cookie parser refactoring, submitted by John Kew. (remm) + </update> <fix> <bug>43479</bug>: Memory leak cleaning up sendfile connections, submitted by Chris Elving. (remm) </fix> Modified: trunk/webapps/docs/config/ajp.xml =================================================================== --- trunk/webapps/docs/config/ajp.xml 2007-10-11 03:34:40 UTC (rev 305) +++ trunk/webapps/docs/config/ajp.xml 2007-10-11 15:29:20 UTC (rev 306) @@ -59,14 +59,6 @@ HTTP method. If not specified, this attribute is set to false.</p> </attribute> - <attribute name="emptySessionPath" required="false"> - <p>If set to <code>true</code>, all paths for session cookies will be set - to <code>/</code>. This can be useful for portlet specification implementations, - but will greatly affect performance if many applications are accessed on a given - server by the client. - If not specified, this attribute is set to <code>false</code>.</p> - </attribute> - <attribute name="enableLookups" required="false"> <p>Set to <code>true</code> if you want calls to <code>request.getRemoteHost()</code> to perform DNS lookups in Modified: trunk/webapps/docs/config/http.xml =================================================================== --- trunk/webapps/docs/config/http.xml 2007-10-11 03:34:40 UTC (rev 305) +++ trunk/webapps/docs/config/http.xml 2007-10-11 15:29:20 UTC (rev 306) @@ -60,14 +60,6 @@ HTTP method. If not specified, this attribute is set to false.</p> </attribute> - <attribute name="emptySessionPath" required="false"> - <p>If set to <code>true</code>, all paths for session cookies will be set - to <code>/</code>. This can be useful for portlet specification implementations, - but will greatly affect performance if many applications are accessed on a given - server by the client. - If not specified, this attribute is set to <code>false</code>.</p> - </attribute> - <attribute name="enableLookups" required="false"> <p>Set to <code>true</code> if you want calls to <code>request.getRemoteHost()</code> to perform DNS lookups in