From 9ae5b6a999b90748d9f88f296521553617334b4f Mon Sep 17 00:00:00 2001 From: Wei Zhou Date: Thu, 7 Nov 2024 10:07:16 +0100 Subject: [PATCH] utils: fix invalid JSESSIONID cookie in https setup (#9856) * utils: fix invalid JSESSIONID cookie in https setup When enable.secure.session.cookie is set to true, use cannot login with error ``` 2024-10-25T09:03:33,898 DEBUG [c.c.u.HttpUtils] (qtp384617262-21:[ctx-a3ee3670]) (logid:7c5bfd8d) jsessionidFromCookie = node017ygldpe44nub1frmqafsj0qmc18 2024-10-25T09:03:33,898 DEBUG [c.c.u.HttpUtils] (qtp384617262-21:[ctx-a3ee3670]) (logid:7c5bfd8d) session.getId() = node017ygldpe44nub1frmqafsj0qmc18 2024-10-25T09:03:33,898 ERROR [c.c.u.HttpUtils] (qtp384617262-21:[ctx-a3ee3670]) (logid:7c5bfd8d) JSESSIONID from cookie is invalid. ``` * pr9856 option 2: check only if jsessionid is not null --- utils/src/main/java/com/cloud/utils/HttpUtils.java | 4 ++-- utils/src/test/java/com/cloud/utils/HttpUtilsTest.java | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/utils/src/main/java/com/cloud/utils/HttpUtils.java b/utils/src/main/java/com/cloud/utils/HttpUtils.java index cc97bf4ba15..2b2450dd31b 100644 --- a/utils/src/main/java/com/cloud/utils/HttpUtils.java +++ b/utils/src/main/java/com/cloud/utils/HttpUtils.java @@ -116,8 +116,8 @@ public class HttpUtils { return false; } final String jsessionidFromCookie = HttpUtils.findCookie(cookies, "JSESSIONID"); - if (jsessionidFromCookie == null - || !(jsessionidFromCookie.startsWith(session.getId() + '.'))) { + if (jsessionidFromCookie != null + && !(jsessionidFromCookie.equals(session.getId()) || jsessionidFromCookie.startsWith(session.getId() + '.'))) { s_logger.error("JSESSIONID from cookie is invalid."); return false; } diff --git a/utils/src/test/java/com/cloud/utils/HttpUtilsTest.java b/utils/src/test/java/com/cloud/utils/HttpUtilsTest.java index e94724ce3d6..9047934c75c 100644 --- a/utils/src/test/java/com/cloud/utils/HttpUtilsTest.java +++ b/utils/src/test/java/com/cloud/utils/HttpUtilsTest.java @@ -74,7 +74,7 @@ public class HttpUtilsTest { params = null; cookies = new Cookie[]{new Cookie(sessionKeyString, sessionKeyValue)}; assertFalse(HttpUtils.validateSessionKey(session, params, cookies, "randomString", HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter)); - assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter)); + assertTrue(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter)); // param null, cookies not null test (JSESSIONID is not null and matches) cookies = new Cookie[2]; @@ -95,7 +95,7 @@ public class HttpUtilsTest { cookies = null; assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter)); params.put(sessionKeyString, new String[]{sessionKeyValue}); - assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter)); + assertTrue(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter)); // both param and cookies not null test (JSESSIONID is null) params = new HashMap(); @@ -104,7 +104,7 @@ public class HttpUtilsTest { params.put(sessionKeyString, new String[]{"incorrectValue"}); assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter)); params.put(sessionKeyString, new String[]{sessionKeyValue}); - assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter)); + assertTrue(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter)); // both param and cookies not null test (JSESSIONID is not null but mismatches) params = new HashMap();