This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit d9a1db799cc30d5bce796e3836bbd837531ce79e Author: Mark Thomas <ma...@apache.org> AuthorDate: Fri Dec 6 22:10:29 2019 +0000 Fix back-port of atomic session ID rotation. Replace default method. --- java/org/apache/catalina/Manager.java | 33 ----------------------- java/org/apache/catalina/connector/Request.java | 27 ++++++++++++++++++- java/org/apache/catalina/session/ManagerBase.java | 1 - 3 files changed, 26 insertions(+), 35 deletions(-) diff --git a/java/org/apache/catalina/Manager.java b/java/org/apache/catalina/Manager.java index 0fe745b..4c8275f 100644 --- a/java/org/apache/catalina/Manager.java +++ b/java/org/apache/catalina/Manager.java @@ -215,44 +215,11 @@ public interface Manager { * session ID. * * @param session The session to change the session ID for - * - * @deprecated Use {@link #rotateSessionId(Session)}. - * Will be removed in Tomcat 10 */ - @Deprecated public void changeSessionId(Session session); /** - * Change the session ID of the current session to a new randomly generated - * session ID. - * - * @param session The session to change the session ID for - * - * @return The new session ID - */ - public default String rotateSessionId(Session session) { - String newSessionId = null; - // Assume there new Id is a duplicate until we prove it isn't. The - // chances of a duplicate are extremely low but the current ManagerBase - // code protects against duplicates so this default method does too. - boolean duplicate = true; - do { - newSessionId = getSessionIdGenerator().generateSessionId(); - try { - if (findSession(newSessionId) == null) { - duplicate = false; - } - } catch (IOException ioe) { - // Swallow. An IOE means the ID was known so continue looping - } - } while (duplicate); - changeSessionId(session, newSessionId); - return newSessionId; - } - - - /** * Change the session ID of the current session to a specified session ID. * * @param session The session to change the session ID for diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java index 954aa3e..d606c2b 100644 --- a/java/org/apache/catalina/connector/Request.java +++ b/java/org/apache/catalina/connector/Request.java @@ -83,6 +83,7 @@ import org.apache.catalina.core.AsyncContextImpl; import org.apache.catalina.mapper.MappingData; import org.apache.catalina.servlet4preview.http.HttpServletMapping; import org.apache.catalina.servlet4preview.http.PushBuilder; +import org.apache.catalina.session.ManagerBase; import org.apache.catalina.util.ParameterMap; import org.apache.catalina.util.TLSUtil; import org.apache.catalina.util.URLEncoder; @@ -2698,12 +2699,36 @@ public class Request implements org.apache.catalina.servlet4preview.http.HttpSer Manager manager = this.getContext().getManager(); - String newSessionId = manager.rotateSessionId(session); + String newSessionId = rotateSessionId(manager, session); this.changeSessionId(newSessionId); return newSessionId; } + private String rotateSessionId(Manager manager, Session sessiom) { + if (manager instanceof ManagerBase) { + return ((ManagerBase) manager).rotateSessionId(sessiom); + } else { + String newSessionId = null; + // Assume there new Id is a duplicate until we prove it isn't. The + // chances of a duplicate are extremely low but the current ManagerBase + // code protects against duplicates so this method does too. + boolean duplicate = true; + do { + newSessionId = manager.getSessionIdGenerator().generateSessionId(); + try { + if (manager.findSession(newSessionId) == null) { + duplicate = false; + } + } catch (IOException ioe) { + // Swallow. An IOE means the ID was known so continue looping + } + } while (duplicate); + manager.changeSessionId(session, newSessionId); + return newSessionId; + } + } + /** * @return the session associated with this Request, creating one * if necessary and requested. diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java index 894256d..74843d0 100644 --- a/java/org/apache/catalina/session/ManagerBase.java +++ b/java/org/apache/catalina/session/ManagerBase.java @@ -727,7 +727,6 @@ public abstract class ManagerBase extends LifecycleMBeanBase implements Manager } - @Override public String rotateSessionId(Session session) { String newId = generateSessionId(); changeSessionId(session, newId, true, true); --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org