This is an automated email from the ASF dual-hosted git repository. rohit pushed a commit to branch 4.13 in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/4.13 by this push: new 139aa13 server: Purge all cookies on logout, set /client path on login (#4176) 139aa13 is described below commit 139aa13e6ab6af1a871094cdae7607f00291d6e8 Author: Rohit Yadav <rohit.ya...@shapeblue.com> AuthorDate: Wed Jul 8 08:03:51 2020 +0530 server: Purge all cookies on logout, set /client path on login (#4176) This will purge all the cookies on logout including multiple sessionkey cookies if passed. On login, this will restrict sessionkey cookie (httponly) to the / path. Fixes #4136 Co-authored-by: Pearl Dsilva <pearl.dsi...@shapeblue.com> --- .../src/main/java/org/apache/cloudstack/saml/SAMLUtils.java | 2 +- server/src/main/java/com/cloud/api/ApiServlet.java | 13 +++++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java index 6110cc5..6a03d44 100644 --- a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java +++ b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java @@ -280,7 +280,7 @@ public class SAMLUtils { resp.addCookie(new Cookie("timezone", URLEncoder.encode(timezone, HttpUtils.UTF_8))); } resp.addCookie(new Cookie("userfullname", URLEncoder.encode(loginResponse.getFirstName() + " " + loginResponse.getLastName(), HttpUtils.UTF_8).replace("+", "%20"))); - resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, loginResponse.getSessionKey())); + resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/", ApiConstants.SESSIONKEY, loginResponse.getSessionKey())); } /** diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java b/server/src/main/java/com/cloud/api/ApiServlet.java index 4002ff8..c42980b 100644 --- a/server/src/main/java/com/cloud/api/ApiServlet.java +++ b/server/src/main/java/com/cloud/api/ApiServlet.java @@ -213,7 +213,7 @@ public class ApiServlet extends HttpServlet { try { responseString = apiAuthenticator.authenticate(command, params, session, remoteAddress, responseType, auditTrailSb, req, resp); if (session != null && session.getAttribute(ApiConstants.SESSIONKEY) != null) { - resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY))); + resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY))); } } catch (ServerApiException e) { httpResponseCode = e.getErrorCode().getHttpCode(); @@ -238,9 +238,14 @@ public class ApiServlet extends HttpServlet { } catch (final IllegalStateException ignored) { } } - Cookie sessionKeyCookie = new Cookie(ApiConstants.SESSIONKEY, ""); - sessionKeyCookie.setMaxAge(0); - resp.addCookie(sessionKeyCookie); + final Cookie[] cookies = req.getCookies(); + if (cookies != null) { + for (final Cookie cookie : cookies) { + cookie.setValue(""); + cookie.setMaxAge(0); + resp.addCookie(cookie); + } + } } HttpUtils.writeHttpResponse(resp, responseString, httpResponseCode, responseType, ApiServer.JSONcontentType.value()); return;