apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

utils: fix invalid JSESSIONID cookie in https setup (#9856)

Browse Source 
* utils: fix invalid JSESSIONID cookie in https setup

When enable.secure.session.cookie is set to true, use cannot login with error
```
    2024-10-25T09:03:33,898 DEBUG [c.c.u.HttpUtils] (qtp384617262-21:[ctx-a3ee3670]) (logid:7c5bfd8d) jsessionidFromCookie = node017ygldpe44nub1frmqafsj0qmc18
    2024-10-25T09:03:33,898 DEBUG [c.c.u.HttpUtils] (qtp384617262-21:[ctx-a3ee3670]) (logid:7c5bfd8d) session.getId() = node017ygldpe44nub1frmqafsj0qmc18
    2024-10-25T09:03:33,898 ERROR [c.c.u.HttpUtils] (qtp384617262-21:[ctx-a3ee3670]) (logid:7c5bfd8d) JSESSIONID from cookie is invalid.
```

* pr9856 option 2: check only if jsessionid is not null
This commit is contained in:
Wei Zhou 2024-11-07 10:07:16 +01:00 committed by GitHub
parent 006db90f75
commit 9ae5b6a999
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
utils/src/main/java/com/cloud/utils/HttpUtils.java
View File

@ -116,8 +116,8 @@ public class HttpUtils {
return false;
}
final String jsessionidFromCookie = HttpUtils.findCookie(cookies, "JSESSIONID");
if (jsessionidFromCookie == null
|| !(jsessionidFromCookie.startsWith(session.getId() + '.'))) {
if (jsessionidFromCookie != null
&& !(jsessionidFromCookie.equals(session.getId()) || jsessionidFromCookie.startsWith(session.getId() + '.'))) {
s_logger.error("JSESSIONID from cookie is invalid.");
return false;
}

6
utils/src/test/java/com/cloud/utils/HttpUtilsTest.java
View File

@ -74,7 +74,7 @@ public class HttpUtilsTest {
params = null;
cookies = new Cookie[]{new Cookie(sessionKeyString, sessionKeyValue)};
assertFalse(HttpUtils.validateSessionKey(session, params, cookies, "randomString", HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
assertTrue(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
// param null, cookies not null test (JSESSIONID is not null and matches)
cookies = new Cookie[2];
@ -95,7 +95,7 @@ public class HttpUtilsTest {
cookies = null;
assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
params.put(sessionKeyString, new String[]{sessionKeyValue});
assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
assertTrue(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
// both param and cookies not null test (JSESSIONID is null)
params = new HashMap<String, Object[]>();
@ -104,7 +104,7 @@ public class HttpUtilsTest {
params.put(sessionKeyString, new String[]{"incorrectValue"});
assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
params.put(sessionKeyString, new String[]{sessionKeyValue});
assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
assertTrue(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
// both param and cookies not null test (JSESSIONID is not null but mismatches)
params = new HashMap<String, Object[]>();