This is an automated email from the ASF dual-hosted git repository.
rohit pushed a commit to branch 4.13
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/4.13 by this push:
new 139aa13 server: Purge all cookies on logout, set /client path on
login (#4176)
139aa13 is described below
commit 139aa13e6ab6af1a871094cdae7607f00291d6e8
Author: Rohit Yadav <rohit.ya...@shapeblue.com>
AuthorDate: Wed Jul 8 08:03:51 2020 +0530
server: Purge all cookies on logout, set /client path on login (#4176)
This will purge all the cookies on logout including multiple sessionkey
cookies if passed. On login, this will restrict sessionkey cookie
(httponly) to the / path.
Fixes #4136
Co-authored-by: Pearl Dsilva <pearl.dsi...@shapeblue.com>
---
.../src/main/java/org/apache/cloudstack/saml/SAMLUtils.java | 2 +-
server/src/main/java/com/cloud/api/ApiServlet.java | 13 +++++++++----
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git
a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
index 6110cc5..6a03d44 100644
---
a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
+++
b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
@@ -280,7 +280,7 @@ public class SAMLUtils {
resp.addCookie(new Cookie("timezone", URLEncoder.encode(timezone,
HttpUtils.UTF_8)));
}
resp.addCookie(new Cookie("userfullname",
URLEncoder.encode(loginResponse.getFirstName() + " " +
loginResponse.getLastName(), HttpUtils.UTF_8).replace("+", "%20")));
- resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly",
ApiConstants.SESSIONKEY, loginResponse.getSessionKey()));
+ resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/",
ApiConstants.SESSIONKEY, loginResponse.getSessionKey()));
}
/**
diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java
b/server/src/main/java/com/cloud/api/ApiServlet.java
index 4002ff8..c42980b 100644
--- a/server/src/main/java/com/cloud/api/ApiServlet.java
+++ b/server/src/main/java/com/cloud/api/ApiServlet.java
@@ -213,7 +213,7 @@ public class ApiServlet extends HttpServlet {
try {
responseString =
apiAuthenticator.authenticate(command, params, session, remoteAddress,
responseType, auditTrailSb, req, resp);
if (session != null &&
session.getAttribute(ApiConstants.SESSIONKEY) != null) {
- resp.addHeader("SET-COOKIE",
String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY,
session.getAttribute(ApiConstants.SESSIONKEY)));
+ resp.addHeader("SET-COOKIE",
String.format("%s=%s;HttpOnly;Path=/", ApiConstants.SESSIONKEY,
session.getAttribute(ApiConstants.SESSIONKEY)));
}
} catch (ServerApiException e) {
httpResponseCode = e.getErrorCode().getHttpCode();
@@ -238,9 +238,14 @@ public class ApiServlet extends HttpServlet {
} catch (final IllegalStateException ignored) {
}
}
- Cookie sessionKeyCookie = new
Cookie(ApiConstants.SESSIONKEY, "");
- sessionKeyCookie.setMaxAge(0);
- resp.addCookie(sessionKeyCookie);
+ final Cookie[] cookies = req.getCookies();
+ if (cookies != null) {
+ for (final Cookie cookie : cookies) {
+ cookie.setValue("");
+ cookie.setMaxAge(0);
+ resp.addCookie(cookie);
+ }
+ }
}
HttpUtils.writeHttpResponse(resp, responseString,
httpResponseCode, responseType, ApiServer.JSONcontentType.value());
return;
