Commit b697a7ba authored by Ard Schrijvers's avatar Ard Schrijvers

CMS-11338 [Backport 11.2] Make sure a new session is created after login

Note this also backports also CMS-10946 due to conflicts otherwise. The
changes in CMS-10946 can be backported without problems

Avoid the possibility to exploit session fixation. After login, the
session id needs to be renewed. There are some if/else conditions
because when logging in into multiple webapps (cms and cms/console), it
is not always possible to renew the session since you would then be
logged out for the other app. Hence, the same credentials are allowed to
login into a second app without session invalidation. On localhost we
allow even different credentials to support being able to login into cms
and cms/console during development with different credentials.

(cherry picked from commit b1f02145)
parent 3ff6d0f1
/*
* Copyright 2015-2016 Hippo B.V. (http://www.onehippo.com)
* Copyright 2015-2018 Hippo B.V. (http://www.onehippo.com)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
......@@ -93,6 +93,22 @@ public class LoginPanel extends Panel {
protected void login() throws LoginException {
PluginUserSession userSession = PluginUserSession.get();
if (userSession.getAuthorizedAppCounter() == 0) {
log.debug("Invalidating user session to make sure a new session id is created");
userSession.invalidateNow();
userSession = PluginUserSession.get();
} else {
final String alreadyAuthorizedUser = userSession.getUserName();
if (alreadyAuthorizedUser.equals(username) || isDevMode()) {
log.debug("User is already authenticated to /cms or /cms/console and now logs in into second app. Hence we " +
"should not invalidate the user session.");
} else {
log.info("Invalidating http session because attempt to login to different app with different user name");
userSession.invalidateNow();
userSession = PluginUserSession.get();
}
}
final char[] pwdAsChars = password == null ? new char[]{} : password.toCharArray();
userSession.login(new UserCredentials(new SimpleCredentials(username, pwdAsChars)));
......@@ -102,6 +118,10 @@ public class LoginPanel extends Panel {
userSession.setLocale(getSelectedLocale());
}
private boolean isDevMode() {
return System.getProperty("project.basedir") != null;
}
private Locale getSelectedLocale() {
if (selectedLocale.equals(Locale.CHINESE.getLanguage())) {
// always use simplified Chinese, Wicket does not known Chinese without a country
......
/*
* Copyright 2008-2016 Hippo B.V. (http://www.onehippo.com)
* Copyright 2008-2018 Hippo B.V. (http://www.onehippo.com)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
......@@ -201,9 +201,8 @@ public class PluginUserSession extends UserSession {
main.resetConnection();
throw new RepositoryUnavailableException("Repository is not available.");
}
} else if (fallbackSession != null) {
fallbackSession.logout();
fallbackSession = null;
} else {
resetFallbackSession();
}
return session;
}
......@@ -334,10 +333,6 @@ public class PluginUserSession extends UserSession {
}
}
private HttpSession getHttpSession() {
return ((ServletWebRequest)RequestCycle.get().getRequest()).getContainerRequest().getSession();
}
protected void checkApplicationPermission(final Session jcrSession) throws LoginException {
final String applicationName = getApplicationName(jcrSession);
final IPluginConfigService application = getApplicationFactory(jcrSession).getApplication(applicationName);
......@@ -360,11 +355,10 @@ public class PluginUserSession extends UserSession {
JcrObservationManager.getInstance().cleanupListeners(this);
pageId = 0;
getHttpSession().removeAttribute("hippo:username");
final int appCount = decreaseAppCount();
dirty();
if (appCount == 0) {
getHttpSession().removeAttribute("hippo:username");
invalidate();
} else {
if (PluginApplication.get().getPluginApplicationName().equals(PLUGIN_APPLICATION_VALUE_CMS)) {
......@@ -448,10 +442,7 @@ public class PluginUserSession extends UserSession {
@Override
public void detach() {
if (fallbackSession != null) {
fallbackSession.logout();
fallbackSession = null;
}
resetFallbackSession();
super.detach();
}
......@@ -478,11 +469,7 @@ public class PluginUserSession extends UserSession {
@Override
public void onInvalidate() {
if (fallbackSession != null) {
fallbackSession.logout();
fallbackSession = null;
}
resetFallbackSession();
releaseJcrSession();
JcrObservationManager.getInstance().cleanupListeners(this);
......@@ -543,7 +530,7 @@ public class PluginUserSession extends UserSession {
}
private int increaseAppCount() {
final Integer appCount = (Integer)getHttpSession().getAttribute(SESSION_CMS_APP_COUNT);
final Integer appCount = (Integer) getHttpSession().getAttribute(SESSION_CMS_APP_COUNT);
if (appCount == null) {
getHttpSession().setAttribute(SESSION_CMS_APP_COUNT, new Integer(1));
return 1;
......@@ -555,7 +542,7 @@ public class PluginUserSession extends UserSession {
}
private int decreaseAppCount() {
final Integer appCounter = (Integer)getHttpSession().getAttribute(SESSION_CMS_APP_COUNT);
final Integer appCounter = (Integer) getHttpSession().getAttribute(SESSION_CMS_APP_COUNT);
if (appCounter == null || appCounter.intValue() <= 1) {
getHttpSession().removeAttribute(SESSION_CMS_APP_COUNT);
return 0;
......@@ -566,5 +553,28 @@ public class PluginUserSession extends UserSession {
}
}
private HttpSession getHttpSession() {
return ((ServletWebRequest) RequestCycle.get().getRequest()).getContainerRequest().getSession();
}
private void resetFallbackSession() {
if (fallbackSession != null) {
if (fallbackSession.isLive()) {
fallbackSession.logout();
}
fallbackSession = null;
}
}
public int getAuthorizedAppCounter() {
final Integer appCount = (Integer)getHttpSession().getAttribute(SESSION_CMS_APP_COUNT);
if (appCount == null) {
return 0;
}
return appCount.intValue();
}
public String getUserName() {
return (String)getHttpSession().getAttribute("hippo:username");
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment