details: https://code.openbravo.com/erp/devel/pi/rev/4bf409c90fd1 changeset: 33220:4bf409c90fd1 user: Antonio Moreno <antonio.moreno <at> openbravo.com> date: Thu Jan 25 17:45:45 2018 +0100 summary: Fixed issue 37667. Cookie identifier will now be regenerated just after logging in the application. Now every login the session will be invalidated and regenerated immediately, thus forcing a cookie identifier reset.
details: https://code.openbravo.com/erp/devel/pi/rev/b53aa5f1574a changeset: 33221:b53aa5f1574a user: Antonio Moreno <antonio.moreno <at> openbravo.com> date: Fri Jan 26 09:37:51 2018 +0100 summary: Related to issue 37667. Cookie won't be reset in password reset flow, as it was just reset in the previous request. diffstat: src/org/openbravo/base/secureApp/LoginHandler.java | 28 +++++++++++++++++++++- 1 files changed, 27 insertions(+), 1 deletions(-) diffs (59 lines): diff -r 72ef6d83714d -r b53aa5f1574a src/org/openbravo/base/secureApp/LoginHandler.java --- a/src/org/openbravo/base/secureApp/LoginHandler.java Thu Jan 25 18:35:39 2018 +0100 +++ b/src/org/openbravo/base/secureApp/LoginHandler.java Fri Jan 26 09:37:51 2018 +0100 @@ -21,6 +21,7 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import org.apache.commons.lang.StringUtils; import org.codehaus.jettison.json.JSONException; @@ -83,6 +84,16 @@ ServletException { log4j.debug("start doPost"); + + boolean isPasswordResetFlow = Boolean.parseBoolean(req.getParameter("resetPassword")); + if (!isPasswordResetFlow) { + // Cookie id will be reset every time a user logs in, to prevent a malicious user from + // stealing a cookie which later on will correspond with a valid session + // If we are in password reset flow, there is no need to reset the cookie as it was reset in + // the previous attempt to login + resetCookieId(req); + } + doOptions(req, res); final VariablesSecureApp vars = new VariablesSecureApp(req); @@ -94,7 +105,6 @@ final String user; final String password; - boolean isPasswordResetFlow = Boolean.parseBoolean(vars.getStringParameter("resetPassword")); if (isPasswordResetFlow) { user = vars.getSessionValue("#AD_User_ID"); } else { @@ -157,6 +167,22 @@ } } + /** + * This method invalidates the current session and generates a new one on the fly, thus generating + * a new JSSESSIONID cookie. It is called every time the user logs in to prevent some malicious + * user from stealing a cookie which later on will correspond with a valid session + * + * @param req + */ + private void resetCookieId(HttpServletRequest req) { + HttpSession httpSession = req.getSession(false); + if (httpSession != null && !httpSession.isNew()) { + httpSession.invalidate(); + } + httpSession = req.getSession(true); + + } + @Override public void doOptions(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openbravo-commits mailing list Openbravo-commits@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openbravo-commits