(cloudstack) branch 4.19 updated: utils: fix invalid JSESSIONID cookie in https setup (#9856)

Thu, 07 Nov 2024 01:07:28 -0800 

This is an automated email from the ASF dual-hosted git repository.

rohit pushed a commit to branch 4.19
in repository https://gitbox.apache.org/repos/asf/cloudstack.git


The following commit(s) were added to refs/heads/4.19 by this push:
     new 9ae5b6a999b utils: fix invalid JSESSIONID cookie in https setup (#9856)
9ae5b6a999b is described below

commit 9ae5b6a999b90748d9f88f296521553617334b4f
Author: Wei Zhou <weiz...@apache.org>
AuthorDate: Thu Nov 7 10:07:16 2024 +0100

    utils: fix invalid JSESSIONID cookie in https setup (#9856)
    
    * utils: fix invalid JSESSIONID cookie in https setup
    
    When enable.secure.session.cookie is set to true, use cannot login with 
error
    ```
        2024-10-25T09:03:33,898 DEBUG [c.c.u.HttpUtils] 
(qtp384617262-21:[ctx-a3ee3670]) (logid:7c5bfd8d) jsessionidFromCookie = 
node017ygldpe44nub1frmqafsj0qmc18
        2024-10-25T09:03:33,898 DEBUG [c.c.u.HttpUtils] 
(qtp384617262-21:[ctx-a3ee3670]) (logid:7c5bfd8d) session.getId() = 
node017ygldpe44nub1frmqafsj0qmc18
        2024-10-25T09:03:33,898 ERROR [c.c.u.HttpUtils] 
(qtp384617262-21:[ctx-a3ee3670]) (logid:7c5bfd8d) JSESSIONID from cookie is 
invalid.
    ```
    
    * pr9856 option 2: check only if jsessionid is not null
---
 utils/src/main/java/com/cloud/utils/HttpUtils.java     | 4 ++--
 utils/src/test/java/com/cloud/utils/HttpUtilsTest.java | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/utils/src/main/java/com/cloud/utils/HttpUtils.java 
b/utils/src/main/java/com/cloud/utils/HttpUtils.java
index cc97bf4ba15..2b2450dd31b 100644
--- a/utils/src/main/java/com/cloud/utils/HttpUtils.java
+++ b/utils/src/main/java/com/cloud/utils/HttpUtils.java
@@ -116,8 +116,8 @@ public class HttpUtils {
             return false;
         }
         final String jsessionidFromCookie = HttpUtils.findCookie(cookies, 
"JSESSIONID");
-        if (jsessionidFromCookie == null
-                || !(jsessionidFromCookie.startsWith(session.getId() + '.'))) {
+        if (jsessionidFromCookie != null
+                && !(jsessionidFromCookie.equals(session.getId()) || 
jsessionidFromCookie.startsWith(session.getId() + '.'))) {
             s_logger.error("JSESSIONID from cookie is invalid.");
             return false;
         }
diff --git a/utils/src/test/java/com/cloud/utils/HttpUtilsTest.java 
b/utils/src/test/java/com/cloud/utils/HttpUtilsTest.java
index e94724ce3d6..9047934c75c 100644
--- a/utils/src/test/java/com/cloud/utils/HttpUtilsTest.java
+++ b/utils/src/test/java/com/cloud/utils/HttpUtilsTest.java
@@ -74,7 +74,7 @@ public class HttpUtilsTest {
         params = null;
         cookies = new Cookie[]{new Cookie(sessionKeyString, sessionKeyValue)};
         assertFalse(HttpUtils.validateSessionKey(session, params, cookies, 
"randomString", HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
-        assertFalse(HttpUtils.validateSessionKey(session, params, cookies, 
sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
+        assertTrue(HttpUtils.validateSessionKey(session, params, cookies, 
sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
 
         // param null, cookies not null test (JSESSIONID is not null and 
matches)
         cookies = new Cookie[2];
@@ -95,7 +95,7 @@ public class HttpUtilsTest {
         cookies = null;
         assertFalse(HttpUtils.validateSessionKey(session, params, cookies, 
sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
         params.put(sessionKeyString, new String[]{sessionKeyValue});
-        assertFalse(HttpUtils.validateSessionKey(session, params, cookies, 
sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
+        assertTrue(HttpUtils.validateSessionKey(session, params, cookies, 
sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
 
         // both param and cookies not null test (JSESSIONID is null)
         params = new HashMap<String, Object[]>();
@@ -104,7 +104,7 @@ public class HttpUtilsTest {
         params.put(sessionKeyString, new String[]{"incorrectValue"});
         assertFalse(HttpUtils.validateSessionKey(session, params, cookies, 
sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
         params.put(sessionKeyString, new String[]{sessionKeyValue});
-        assertFalse(HttpUtils.validateSessionKey(session, params, cookies, 
sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
+        assertTrue(HttpUtils.validateSessionKey(session, params, cookies, 
sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
 
         // both param and cookies not null test (JSESSIONID is not null but 
mismatches)
         params = new HashMap<String, Object[]>();

Reply via email to