Commit b1f02145 authored by Ard Schrijvers's avatar Ard Schrijvers

CMS-11335 Make sure a new session is created after login

Avoid the possibility to exploit session fixation. After login, the
session id needs to be renewed. There are some if/else conditions
because when logging in into multiple webapps (cms and cms/console), it
is not always possible to renew the session since you would then be
logged out for the other app. Hence, the same credentials are allowed to
login into a second app without session invalidation. On localhost we
allow even different credentials to support being able to login into cms
and cms/console during development with different credentials.
parent 089db810
/*
* Copyright 2015-2016 Hippo B.V. (http://www.onehippo.com)
* Copyright 2015-2018 Hippo B.V. (http://www.onehippo.com)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
......@@ -93,6 +93,22 @@ public class LoginPanel extends Panel {
protected void login() throws LoginException {
PluginUserSession userSession = PluginUserSession.get();
if (userSession.getAuthorizedAppCounter() == 0) {
log.debug("Invalidating user session to make sure a new session id is created");
userSession.invalidateNow();
userSession = PluginUserSession.get();
} else {
final String alreadyAuthorizedUser = userSession.getUserName();
if (alreadyAuthorizedUser.equals(username) || isDevMode()) {
log.debug("User is already authenticated to /cms or /cms/console and now logs in into second app. Hence we " +
"should not invalidate the user session.");
} else {
log.info("Invalidating http session because attempt to login to different app with different user name");
userSession.invalidateNow();
userSession = PluginUserSession.get();
}
}
final char[] pwdAsChars = password == null ? new char[]{} : password.toCharArray();
userSession.login(new UserCredentials(new SimpleCredentials(username, pwdAsChars)));
......@@ -102,6 +118,10 @@ public class LoginPanel extends Panel {
userSession.setLocale(getSelectedLocale());
}
private boolean isDevMode() {
return System.getProperty("project.basedir") != null;
}
private Locale getSelectedLocale() {
if (selectedLocale.equals(Locale.CHINESE.getLanguage())) {
// always use simplified Chinese, Wicket does not known Chinese without a country
......
/*
* Copyright 2008-2017 Hippo B.V. (http://www.onehippo.com)
* Copyright 2008-2018 Hippo B.V. (http://www.onehippo.com)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
......@@ -333,10 +333,6 @@ public class PluginUserSession extends UserSession {
}
}
private HttpSession getHttpSession() {
return ((ServletWebRequest)RequestCycle.get().getRequest()).getContainerRequest().getSession();
}
protected void checkApplicationPermission(final Session jcrSession) throws LoginException {
final String applicationName = getApplicationName(jcrSession);
final IPluginConfigService application = getApplicationFactory(jcrSession).getApplication(applicationName);
......@@ -534,7 +530,7 @@ public class PluginUserSession extends UserSession {
}
private int increaseAppCount() {
final Integer appCount = (Integer)getHttpSession().getAttribute(SESSION_CMS_APP_COUNT);
final Integer appCount = (Integer) getHttpSession().getAttribute(SESSION_CMS_APP_COUNT);
if (appCount == null) {
getHttpSession().setAttribute(SESSION_CMS_APP_COUNT, new Integer(1));
return 1;
......@@ -546,7 +542,7 @@ public class PluginUserSession extends UserSession {
}
private int decreaseAppCount() {
final Integer appCounter = (Integer)getHttpSession().getAttribute(SESSION_CMS_APP_COUNT);
final Integer appCounter = (Integer) getHttpSession().getAttribute(SESSION_CMS_APP_COUNT);
if (appCounter == null || appCounter.intValue() <= 1) {
getHttpSession().removeAttribute(SESSION_CMS_APP_COUNT);
return 0;
......@@ -557,6 +553,10 @@ public class PluginUserSession extends UserSession {
}
}
private HttpSession getHttpSession() {
return ((ServletWebRequest) RequestCycle.get().getRequest()).getContainerRequest().getSession();
}
private void resetFallbackSession() {
if (fallbackSession != null) {
if (fallbackSession.isLive()) {
......@@ -566,4 +566,15 @@ public class PluginUserSession extends UserSession {
}
}
public int getAuthorizedAppCounter() {
final Integer appCount = (Integer)getHttpSession().getAttribute(SESSION_CMS_APP_COUNT);
if (appCount == null) {
return 0;
}
return appCount.intValue();
}
public String getUserName() {
return (String)getHttpSession().getAttribute("hippo:username");
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment