svn commit: r1607594 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/authenticator/SingleSignOn.java webapps/docs/changelog.xml

Thu, 03 Jul 2014 04:59:25 -0700 

Author: markt
Date: Thu Jul  3 11:58:23 2014
New Revision: 1607594

URL: http://svn.apache.org/r1607594
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56666
When clearing the SSO cookie use the same values for domain, path, httpOnly and 
secure as were used to set the SSO cookie.

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1607592

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java?rev=1607594&r1=1607593&r2=1607594&view=diff
==============================================================================
--- 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java 
(original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java 
Thu Jul  3 11:58:23 2014
@@ -331,7 +331,26 @@ public class SingleSignOn extends ValveB
         } else {
             if (containerLog.isDebugEnabled())
                 containerLog.debug(" No cached principal found, erasing SSO 
cookie");
+            // No need to return a valid SSO session ID
+            cookie.setValue("REMOVE");
+            // Age of zero will trigger removal
             cookie.setMaxAge(0);
+            // Domain and path have to match the original cookie to 'replace'
+            // the original cookie
+            cookie.setPath("/");
+            String domain = getCookieDomain();
+            if (domain != null) {
+                cookie.setDomain(domain);
+            }
+            // This is going to trigger a Set-Cookie header. While the value is
+            // not security sensitive, ensure that expectations for secure and
+            // httpOnly are met
+            cookie.setSecure(request.isSecure());
+            if 
(request.getServletContext().getSessionCookieConfig().isHttpOnly() ||
+                    request.getContext().getUseHttpOnly()) {
+                cookie.setHttpOnly(true);
+            }
+
             response.addCookie(cookie);
         }
 

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1607594&r1=1607593&r2=1607594&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Jul  3 11:58:23 2014
@@ -125,6 +125,11 @@
         <bug>56665</bug>: Correct the generation of the effective web.xml when
         elements contain an empty string as value. (violetagg)
       </fix>
+      <fix>
+        <bug>56666</bug>: When clearing the SSO cookie use the same values for
+        domain, path, httpOnly and secure as were used to set the SSO cookie.
+        (markt) 
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to