Skip to content

server: Purge all cookies on logout, set /client path on login #4176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yadvr merged 5 commits into from
Jul 8, 2020
Merged

server: Purge all cookies on logout, set /client path on login #4176

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
57e3fcf
server: Purge all cookies on logout, set /client path on login
yadvr Jun 24, 2020
15be473
Add brace
yadvr Jun 24, 2020
d629eb1
set cookie path to webapp context path
yadvr Jun 25, 2020
b7e88bc
Update ApiServlet.java
yadvr Jul 4, 2020
6605d01
Change sessionkey cookie path
Jul 7, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,7 @@ public static void setupSamlUserCookies(final LoginCmdResponse loginResponse, fi
resp.addCookie(new Cookie("timezone", URLEncoder.encode(timezone, HttpUtils.UTF_8)));
}
resp.addCookie(new Cookie("userfullname", URLEncoder.encode(loginResponse.getFirstName() + " " + loginResponse.getLastName(), HttpUtils.UTF_8).replace("+", "%20")));
resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, loginResponse.getSessionKey()));
resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/", ApiConstants.SESSIONKEY, loginResponse.getSessionKey()));
}

/**
Expand Down
13 changes: 9 additions & 4 deletions server/src/main/java/com/cloud/api/ApiServlet.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,7 +213,7 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp
try {
responseString = apiAuthenticator.authenticate(command, params, session, remoteAddress, responseType, auditTrailSb, req, resp);
if (session != null && session.getAttribute(ApiConstants.SESSIONKEY) != null) {
resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY)));
resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY)));
}
} catch (ServerApiException e) {
httpResponseCode = e.getErrorCode().getHttpCode();
Expand All @@ -238,9 +238,14 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp
} catch (final IllegalStateException ignored) {
}
}
Cookie sessionKeyCookie = new Cookie(ApiConstants.SESSIONKEY, "");
sessionKeyCookie.setMaxAge(0);
resp.addCookie(sessionKeyCookie);
final Cookie[] cookies = req.getCookies();
if (cookies != null) {
for (final Cookie cookie : cookies) {
cookie.setValue("");
cookie.setMaxAge(0);
resp.addCookie(cookie);
}
}
}
HttpUtils.writeHttpResponse(resp, responseString, httpResponseCode, responseType, ApiServer.JSONcontentType.value());
return;
Expand Down