marcsaeg 01/03/05 17:13:05
Modified: src/share/org/apache/tomcat/facade Tag: tomcat_32
HttpServletRequestFacade.java
Log:
The isRequestedSessionIdValid() should be based on the value of
getRequestedSessionId(). Instead of just checking that getSession(false)
returns a non-null value (i.e. there is an active session) we must
also test that the active session's ID matches the requested session id.
PR: 160
Revision Changes Path
No revision
No revision
1.6.2.1 +6 -4
jakarta-tomcat/src/share/org/apache/tomcat/facade/Attic/HttpServletRequestFacade.java
Index: HttpServletRequestFacade.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/facade/Attic/HttpServletRequestFacade.java,v
retrieving revision 1.6
retrieving revision 1.6.2.1
diff -u -r1.6 -r1.6.2.1
--- HttpServletRequestFacade.java 2000/06/19 21:53:13 1.6
+++ HttpServletRequestFacade.java 2001/03/06 01:13:05 1.6.2.1
@@ -401,10 +401,12 @@
}
public boolean isRequestedSessionIdValid() {
- // so here we just assume that if we have a session it's,
- // all good, else not.
- HttpSession session = (HttpSession)request.getSession(false);
- return (session != null);
+ boolean isvalid = false;
+ HttpSession session = (HttpSession)request.getSession(false);
+ if(session != null && session.getId().equals(getRequestedSessionId()))
+ isvalid = true;
+
+ return isvalid;
}
/** Adapter - Request uses getSessionIdSource
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
