This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 6dcf03e3784f3d7f0c82e8cd3531cf772ae48a37 Author: Mark Thomas <ma...@apache.org> AuthorDate: Fri Dec 6 12:13:15 2019 +0000 Add an atomic method to rotate session ID and return new value. Use it. --- java/org/apache/catalina/Manager.java | 33 +++++++++++++++++++++++ java/org/apache/catalina/connector/Request.java | 3 +-- java/org/apache/catalina/session/ManagerBase.java | 7 +++++ 3 files changed, 41 insertions(+), 2 deletions(-) diff --git a/java/org/apache/catalina/Manager.java b/java/org/apache/catalina/Manager.java index 4c8275f..0fe745b 100644 --- a/java/org/apache/catalina/Manager.java +++ b/java/org/apache/catalina/Manager.java @@ -215,11 +215,44 @@ public interface Manager { * session ID. * * @param session The session to change the session ID for + * + * @deprecated Use {@link #rotateSessionId(Session)}. + * Will be removed in Tomcat 10 */ + @Deprecated public void changeSessionId(Session session); /** + * Change the session ID of the current session to a new randomly generated + * session ID. + * + * @param session The session to change the session ID for + * + * @return The new session ID + */ + public default String rotateSessionId(Session session) { + String newSessionId = null; + // Assume there new Id is a duplicate until we prove it isn't. The + // chances of a duplicate are extremely low but the current ManagerBase + // code protects against duplicates so this default method does too. + boolean duplicate = true; + do { + newSessionId = getSessionIdGenerator().generateSessionId(); + try { + if (findSession(newSessionId) == null) { + duplicate = false; + } + } catch (IOException ioe) { + // Swallow. An IOE means the ID was known so continue looping + } + } while (duplicate); + changeSessionId(session, newSessionId); + return newSessionId; + } + + + /** * Change the session ID of the current session to a specified session ID. * * @param session The session to change the session ID for diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java index bb4039d..954aa3e 100644 --- a/java/org/apache/catalina/connector/Request.java +++ b/java/org/apache/catalina/connector/Request.java @@ -2697,9 +2697,8 @@ public class Request implements org.apache.catalina.servlet4preview.http.HttpSer } Manager manager = this.getContext().getManager(); - manager.changeSessionId(session); - String newSessionId = session.getId(); + String newSessionId = manager.rotateSessionId(session); this.changeSessionId(newSessionId); return newSessionId; diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java index cccda39..894256d 100644 --- a/java/org/apache/catalina/session/ManagerBase.java +++ b/java/org/apache/catalina/session/ManagerBase.java @@ -723,8 +723,15 @@ public abstract class ManagerBase extends LifecycleMBeanBase implements Manager @Override public void changeSessionId(Session session) { + rotateSessionId(session); + } + + + @Override + public String rotateSessionId(Session session) { String newId = generateSessionId(); changeSessionId(session, newId, true, true); + return newId; } --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org