RE: cvs commit: jakarta-tomcat/src/facade22/org/apache/tomcat/facade HttpServletRequestFacade.java

Tue, 06 Mar 2001 08:53:59 -0800 

There may be more to this.  This fix uncovered other places that were using
the requested session id and assuming that it was really the active session
id.  I'll be committing a fix for that problem later today.  I'm not as
familiar with the 3.3. code base but I'll try to port the patch.

> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, March 06, 2001 10:08 AM
> To: [EMAIL PROTECTED]
> Subject: cvs commit:
> jakarta-tomcat/src/facade22/org/apache/tomcat/facade
> HttpServletRequestFacade.java
>
>
> larryi      01/03/06 08:07:45
>
>   Modified:    src/facade22/org/apache/tomcat/facade
>                         HttpServletRequestFacade.java
>   Log:
>   Port patch from tomcat_32 for part of Bugzilla Bug #160
>
>   The isRequestedSessionIdValid() should be based on the value of
>   getRequestedSessionId().Instead of just checking that getSession(false)
>   returns a non-null value (i.e. there is an active session) we must
>   also test that the active session's ID matches the requested session id.
>
>   Patch By: Marc Saegesser
>
>   Revision  Changes    Path
>   1.20      +6 -3
> jakarta-tomcat/src/facade22/org/apache/tomcat/facade/HttpServletRe
questFacade.java
>
>   Index: HttpServletRequestFacade.java
>   ===================================================================
>   RCS file:
> /home/cvs/jakarta-tomcat/src/facade22/org/apache/tomcat/facade/Htt
pServletRequestFacade.java,v
>   retrieving revision 1.19
>   retrieving revision 1.20
>   diff -u -r1.19 -r1.20
>   --- HttpServletRequestFacade.java   2001/02/27 02:49:27     1.19
>   +++ HttpServletRequestFacade.java   2001/03/06 16:07:44     1.20
>   @@ -451,9 +451,12 @@
>        }
>
>        public boolean isRequestedSessionIdValid() {
>   -   // so here we just assume that if we have a session it's,
>   -   // all good, else not.
>   -   return null != request.getSession(false);
>   +        boolean isvalid = false;
>   +        ServerSession session =
> (ServerSession)request.getSession(false);
>   +        if(session != null &&
> session.getId().equals(getRequestedSessionId()))
>   +            isvalid = true;
>   +
>   +        return isvalid;
>        }
>
>        /** Adapter - Request uses getSessionIdSource
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

Reply via email to