This is an automated email from the ASF dual-hosted git repository.
ashish pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 8c5af7e34b Align securedLoginId cookie processing with JWT-based
verification (#981)
8c5af7e34b is described below
commit 8c5af7e34b2348b94eeaacf4569a5b080b68f1a5
Author: Ashish Vijaywargiya <[email protected]>
AuthorDate: Thu Mar 12 12:19:37 2026 +0530
Align securedLoginId cookie processing with JWT-based verification (#981)
Improved: Align securedLoginId cookie processing with JWT-based
verification
---
.../java/org/apache/ofbiz/webapp/control/LoginWorker.java | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
index 82aeb329c8..5f8a15eccd 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java
@@ -1073,6 +1073,17 @@ public final class LoginWorker {
}
}
}
+
+ // Verify the plain-text cookie against the mathematically secure JWT
token
+ if (UtilValidate.isNotEmpty(securedUserLoginId)) {
+ String jwtUserLoginId = getSecuredUserLoginByJWT(request);
+ if (UtilValidate.isEmpty(jwtUserLoginId) ||
!securedUserLoginId.equals(jwtUserLoginId)) {
+ Debug.logWarning("Cookie securedLoginId [" + securedUserLoginId
+ + "] does not match or is missing a valid
securedLoginToken JWT.", MODULE);
+ return null;
+ }
+ }
+
return securedUserLoginId;
}
public static String getSecuredUserLoginByJWT(HttpServletRequest request) {
