Author: lektran
Date: Mon Jul 27 05:02:19 2009
New Revision: 798025
URL: http://svn.apache.org/viewvc?rev=798025&view=rev
Log:
Added a new ServletContext parameter "forceHttpSession" that when set to true
forces the JSESSIONID cookie to be sent via http
This resolves an issue in the ecommerce app where if the initial request to the
app is an https request then the session cookie is available via https only.
Subsequently if at any point the user switches to http then the session is lost
along with any data such as the shopping cart.
The solution involves checking if the request is an https request and if the
session is new then the user is redirected to an http version of the request.
The session cookie is then sent along with the http response which will either
be the page requested if the request doesn't require https or otherwise another
redirect back to the https version.
Modified:
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/web.xml
Modified:
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=798025&r1=798024&r2=798025&view=diff
==============================================================================
---
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
(original)
+++
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
Mon Jul 27 05:02:19 2009
@@ -174,10 +174,10 @@
requestMap =
controllerConfig.requestMapMap.get(controllerConfig.defaultRequest);
}
}
-
+ boolean forceHttpSession =
"true".equals(context.getInitParameter("forceHttpSession"));
// Check if we SHOULD be secure and are not.
if (!request.isSecure() && requestMap.securityHttps) {
- // If the requet method was POST then return an error to avoid
problems with XSRF where the request may have come from another machine/program
and had the same session ID but was not encrypted as it should have been (we
used to let it pass to not lose data since it was too late to protect that data
anyway)
+ // If the request method was POST then return an error to
avoid problems with XSRF where the request may have come from another
machine/program and had the same session ID but was not encrypted as it should
have been (we used to let it pass to not lose data since it was too late to
protect that data anyway)
if (request.getMethod().equalsIgnoreCase("POST")) {
// we can't redirect with the body parameters, and for
better security from XSRF, just return an error message
Locale locale = UtilHttp.getLocale(request);
@@ -216,6 +216,19 @@
callRedirect(newUrl, response, request);
}
}
+ // if this is a new session and the request is secure and
forceHttpSession is true then we need the
+ // session cookie to be created via an http response (rather than
https) so we'll redirect to an
+ // unsecure request and then if necessary another redirect will
occur to transfer back to https
+ } else if (forceHttpSession && request.isSecure() &&
session.isNew()) {
+ StringBuilder urlBuf = new StringBuilder();
+ urlBuf.append(request.getPathInfo());
+ if (request.getQueryString() != null) {
+ urlBuf.append("?").append(request.getQueryString());
+ }
+ String newUrl = RequestHandler.makeUrl(request, response,
urlBuf.toString(), true, false, false);
+ if (newUrl.toUpperCase().startsWith("HTTP")) {
+ callRedirect(newUrl, response, request);
+ }
}
// Check for HTTPS client (x.509) security
Modified: ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/web.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/web.xml?rev=798025&r1=798024&r2=798025&view=diff
==============================================================================
--- ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/web.xml
(original)
+++ ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/web.xml Mon
Jul 27 05:02:19 2009
@@ -49,6 +49,14 @@
<param-value>component://ecommerce/widget/CommonScreens.xml</param-value>
<description>The location of the main-decorator screen to use for this
webapp; referred to as a context variable in screen def XML files.</description>
</context-param>
+ <context-param>
+ <param-name>forceHttpSession</param-name>
+ <param-value>true</param-value>
+ <description>
+ Forces the JSESSIONID cookie to be sent via http rather https,
helps prevent lost sessions in web apps that
+ frequently switch between http and https.
+ </description>
+ </context-param>
<filter>
<filter-name>ContextFilter</filter-name>
