From 57e3fcf4170b4cb7b147d7b35a02945a19a0f4ae Mon Sep 17 00:00:00 2001 From: Rohit Yadav Date: Wed, 24 Jun 2020 22:28:43 +0530 Subject: [PATCH 1/5] server: Purge all cookies on logout, set /client path on login This will purge all the cookies on logout including multiple sessionkey cookies if passed. On login, this will restrict sessionkey cookie (httponly) to the /client path like the JSESSIONID cookie. Fixes #4136 Signed-off-by: Rohit Yadav --- server/src/main/java/com/cloud/api/ApiServlet.java | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java b/server/src/main/java/com/cloud/api/ApiServlet.java index 4002ff8d99b1..f2c50ce618b8 100644 --- a/server/src/main/java/com/cloud/api/ApiServlet.java +++ b/server/src/main/java/com/cloud/api/ApiServlet.java @@ -213,7 +213,7 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp try { responseString = apiAuthenticator.authenticate(command, params, session, remoteAddress, responseType, auditTrailSb, req, resp); if (session != null && session.getAttribute(ApiConstants.SESSIONKEY) != null) { - resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY))); + resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/client", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY))); } } catch (ServerApiException e) { httpResponseCode = e.getErrorCode().getHttpCode(); @@ -238,9 +238,14 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp } catch (final IllegalStateException ignored) { } } - Cookie sessionKeyCookie = new Cookie(ApiConstants.SESSIONKEY, ""); - sessionKeyCookie.setMaxAge(0); - resp.addCookie(sessionKeyCookie); + final Cookie[] cookies = req.getCookies(); + if (cookies != null) + for (final Cookie cookie : cookies) { + cookie.setValue(""); + cookie.setMaxAge(0); + resp.addCookie(cookie); + } + } } HttpUtils.writeHttpResponse(resp, responseString, httpResponseCode, responseType, ApiServer.JSONcontentType.value()); return; From 15be473e6c256b3fc8d1088638be2242e67d3fa0 Mon Sep 17 00:00:00 2001 From: Rohit Yadav Date: Wed, 24 Jun 2020 23:59:23 +0530 Subject: [PATCH 2/5] Add brace --- server/src/main/java/com/cloud/api/ApiServlet.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java b/server/src/main/java/com/cloud/api/ApiServlet.java index f2c50ce618b8..4fa96f91e89c 100644 --- a/server/src/main/java/com/cloud/api/ApiServlet.java +++ b/server/src/main/java/com/cloud/api/ApiServlet.java @@ -239,7 +239,7 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp } } final Cookie[] cookies = req.getCookies(); - if (cookies != null) + if (cookies != null) { for (final Cookie cookie : cookies) { cookie.setValue(""); cookie.setMaxAge(0); From d629eb15bbd76f6b485aa11674947a8575be44b1 Mon Sep 17 00:00:00 2001 From: Rohit Yadav Date: Thu, 25 Jun 2020 20:44:17 +0530 Subject: [PATCH 3/5] set cookie path to webapp context path --- server/src/main/java/com/cloud/api/ApiServlet.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java b/server/src/main/java/com/cloud/api/ApiServlet.java index 4fa96f91e89c..30d708de19d9 100644 --- a/server/src/main/java/com/cloud/api/ApiServlet.java +++ b/server/src/main/java/com/cloud/api/ApiServlet.java @@ -213,7 +213,7 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp try { responseString = apiAuthenticator.authenticate(command, params, session, remoteAddress, responseType, auditTrailSb, req, resp); if (session != null && session.getAttribute(ApiConstants.SESSIONKEY) != null) { - resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/client", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY))); + resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=%s", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY), req.getContextPath().split("/api")[0])); } } catch (ServerApiException e) { httpResponseCode = e.getErrorCode().getHttpCode(); From b7e88bcb9f336c595c0a8cb80603b10c9997317c Mon Sep 17 00:00:00 2001 From: Rohit Yadav Date: Sat, 4 Jul 2020 10:42:14 +0530 Subject: [PATCH 4/5] Update ApiServlet.java --- server/src/main/java/com/cloud/api/ApiServlet.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java b/server/src/main/java/com/cloud/api/ApiServlet.java index 30d708de19d9..d07f377e6325 100644 --- a/server/src/main/java/com/cloud/api/ApiServlet.java +++ b/server/src/main/java/com/cloud/api/ApiServlet.java @@ -213,7 +213,7 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp try { responseString = apiAuthenticator.authenticate(command, params, session, remoteAddress, responseType, auditTrailSb, req, resp); if (session != null && session.getAttribute(ApiConstants.SESSIONKEY) != null) { - resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=%s", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY), req.getContextPath().split("/api")[0])); + resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=%s", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY), req.getContextPath().split("api")[0])); } } catch (ServerApiException e) { httpResponseCode = e.getErrorCode().getHttpCode(); From 6605d015265cdf83717f3fbe9b4c96b4d040081a Mon Sep 17 00:00:00 2001 From: Pearl Dsilva Date: Tue, 7 Jul 2020 19:57:30 +0530 Subject: [PATCH 5/5] Change sessionkey cookie path --- .../src/main/java/org/apache/cloudstack/saml/SAMLUtils.java | 2 +- server/src/main/java/com/cloud/api/ApiServlet.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java index 6110cc52288b..6a03d4441152 100644 --- a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java +++ b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java @@ -280,7 +280,7 @@ public static void setupSamlUserCookies(final LoginCmdResponse loginResponse, fi resp.addCookie(new Cookie("timezone", URLEncoder.encode(timezone, HttpUtils.UTF_8))); } resp.addCookie(new Cookie("userfullname", URLEncoder.encode(loginResponse.getFirstName() + " " + loginResponse.getLastName(), HttpUtils.UTF_8).replace("+", "%20"))); - resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, loginResponse.getSessionKey())); + resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/", ApiConstants.SESSIONKEY, loginResponse.getSessionKey())); } /** diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java b/server/src/main/java/com/cloud/api/ApiServlet.java index d07f377e6325..c42980bf6951 100644 --- a/server/src/main/java/com/cloud/api/ApiServlet.java +++ b/server/src/main/java/com/cloud/api/ApiServlet.java @@ -213,7 +213,7 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp try { responseString = apiAuthenticator.authenticate(command, params, session, remoteAddress, responseType, auditTrailSb, req, resp); if (session != null && session.getAttribute(ApiConstants.SESSIONKEY) != null) { - resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=%s", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY), req.getContextPath().split("api")[0])); + resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY))); } } catch (ServerApiException e) { httpResponseCode = e.getErrorCode().getHttpCode();