This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push: new 65d9de34ac Preparation for fixing BZ 66120 65d9de34ac is described below commit 65d9de34ac4e512afe374639494fdd9d7e055ade Author: Mark Thomas <ma...@apache.org> AuthorDate: Mon Aug 22 08:43:11 2022 +0100 Preparation for fixing BZ 66120 https://bz.apache.org/bugzilla/show_bug.cgi?id=66120 Once BZ 66120 is fixed, the session note that holds the current session ID during FORM authentication will be replicated across the cluster. If failover occurs during FORM authentication, this note also needs to be updated. This change is a NO-OP until the fix for BZ 66120 is committed. --- .../catalina/ha/session/JvmRouteBinderValve.java | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java b/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java index c777d3e783..637d3a1dee 100644 --- a/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java +++ b/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java @@ -24,6 +24,7 @@ import org.apache.catalina.Cluster; import org.apache.catalina.LifecycleException; import org.apache.catalina.Manager; import org.apache.catalina.Session; +import org.apache.catalina.authenticator.Constants; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.catalina.ha.CatalinaCluster; @@ -327,6 +328,7 @@ public class JvmRouteBinderValve extends ValveBase implements ClusterValve { fireLifecycleEvent("Before session migration", catalinaSession); catalinaSession.getManager().changeSessionId(catalinaSession, newSessionID); changeRequestSessionID(request, sessionId, newSessionID); + changeSessionAuthenticationNote(sessionId, newSessionID, catalinaSession); fireLifecycleEvent("After session migration", catalinaSession); if (log.isDebugEnabled()) { log.debug(sm.getString("jvmRoute.changeSession", sessionId, @@ -356,6 +358,23 @@ public class JvmRouteBinderValve extends ValveBase implements ClusterValve { } + /** + * Change the current session ID that is stored in a session note during + * authentication. It is part of the CSRF protection. + * + * @param sessionId The original session ID + * @param newSessionID The new session ID for node migration + * @param catalinaSession The session object (that will be using the new + * session ID at the point this method is + * called) + */ + protected void changeSessionAuthenticationNote(String sessionId, String newSessionID, Session catalinaSession) { + if (sessionId.equals(catalinaSession.getNote(Constants.SESSION_ID_NOTE))) { + catalinaSession.setNote(Constants.SESSION_ID_NOTE, newSessionID); + } + } + + /** * Start this component and implement the requirements * of {@link org.apache.catalina.util.LifecycleBase#startInternal()}. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org