From 66a645993079d4982fdce32a7a9e364d73477f29 Mon Sep 17 00:00:00 2001
From: Rodrigo Andrade <rodrigo_cardoso@hotmail.it>
Date: Mon, 25 Apr 2016 18:42:07 -0300
Subject: [PATCH 1/3] removing password from cookie

---
 src/main/java/com/gitblit/auth/AuthenticationProvider.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/com/gitblit/auth/AuthenticationProvider.java b/src/main/java/com/gitblit/auth/AuthenticationProvider.java
index 0bfe23515..d896386b6 100644
--- a/src/main/java/com/gitblit/auth/AuthenticationProvider.java
+++ b/src/main/java/com/gitblit/auth/AuthenticationProvider.java
@@ -81,7 +81,7 @@ public String getServiceName() {
 	protected void setCookie(UserModel user, char [] password) {
 		// create a user cookie
 		if (StringUtils.isEmpty(user.cookie) && !ArrayUtils.isEmpty(password)) {
-			user.cookie = StringUtils.getSHA1(user.username + new String(password));
+			user.cookie = StringUtils.getSHA1(user.username);
 		}
 	}
 

From acce8d39c5cd39a753663dcfdf1e64ff170c9aa3 Mon Sep 17 00:00:00 2001
From: Rodrigo Andrade <rodrigo_cardoso@hotmail.it>
Date: Mon, 25 Apr 2016 19:09:45 -0300
Subject: [PATCH 2/3] removing password from cookie throughout all auth
 providers

---
 src/main/java/com/gitblit/auth/AuthenticationProvider.java | 4 ++--
 src/main/java/com/gitblit/auth/HtpasswdAuthProvider.java   | 2 +-
 src/main/java/com/gitblit/auth/LdapAuthProvider.java       | 2 +-
 src/main/java/com/gitblit/auth/PAMAuthProvider.java        | 2 +-
 src/main/java/com/gitblit/auth/RedmineAuthProvider.java    | 2 +-
 src/main/java/com/gitblit/auth/SalesforceAuthProvider.java | 2 +-
 src/main/java/com/gitblit/auth/WindowsAuthProvider.java    | 2 +-
 7 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/main/java/com/gitblit/auth/AuthenticationProvider.java b/src/main/java/com/gitblit/auth/AuthenticationProvider.java
index d896386b6..74002560b 100644
--- a/src/main/java/com/gitblit/auth/AuthenticationProvider.java
+++ b/src/main/java/com/gitblit/auth/AuthenticationProvider.java
@@ -78,9 +78,9 @@ public String getServiceName() {
 
 	public abstract AuthenticationType getAuthenticationType();
 
-	protected void setCookie(UserModel user, char [] password) {
+	protected void setCookie(UserModel user) {
 		// create a user cookie
-		if (StringUtils.isEmpty(user.cookie) && !ArrayUtils.isEmpty(password)) {
+		if (StringUtils.isEmpty(user.cookie)) {
 			user.cookie = StringUtils.getSHA1(user.username);
 		}
 	}
diff --git a/src/main/java/com/gitblit/auth/HtpasswdAuthProvider.java b/src/main/java/com/gitblit/auth/HtpasswdAuthProvider.java
index 2cdabf6f8..3a6cb8ec1 100644
--- a/src/main/java/com/gitblit/auth/HtpasswdAuthProvider.java
+++ b/src/main/java/com/gitblit/auth/HtpasswdAuthProvider.java
@@ -196,7 +196,7 @@ else if (supportPlaintextPwd() && storedPwd.equals(passwd)){
                 }
 
                 // create a user cookie
-                setCookie(user, password);
+                setCookie(user);
 
                 // Set user attributes, hide password from backing user service.
                 user.password = Constants.EXTERNAL_ACCOUNT;
diff --git a/src/main/java/com/gitblit/auth/LdapAuthProvider.java b/src/main/java/com/gitblit/auth/LdapAuthProvider.java
index cc772e7b4..b7efd4a04 100644
--- a/src/main/java/com/gitblit/auth/LdapAuthProvider.java
+++ b/src/main/java/com/gitblit/auth/LdapAuthProvider.java
@@ -360,7 +360,7 @@ public UserModel authenticate(String username, char[] password) {
 							}
 
 							// create a user cookie
-							setCookie(user, password);
+							setCookie(user);
 
 							if (!supportsTeamMembershipChanges()) {
 								getTeamsFromLdap(ldapConnection, simpleUsername, loggingInUser, user);
diff --git a/src/main/java/com/gitblit/auth/PAMAuthProvider.java b/src/main/java/com/gitblit/auth/PAMAuthProvider.java
index 46f4dd6a6..b38d49df9 100644
--- a/src/main/java/com/gitblit/auth/PAMAuthProvider.java
+++ b/src/main/java/com/gitblit/auth/PAMAuthProvider.java
@@ -122,7 +122,7 @@ public UserModel authenticate(String username, char[] password) {
         }
 
         // create a user cookie
-        setCookie(user, password);
+        setCookie(user);
 
         // update user attributes from UnixUser
         user.accountType = getAccountType();
diff --git a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
index 27cece299..364aff042 100644
--- a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
+++ b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
@@ -139,7 +139,7 @@ public UserModel authenticate(String username, char[] password) {
         }
 
         // create a user cookie
-        setCookie(user, password);
+        setCookie(user);
 
         // update user attributes from Redmine
         user.accountType = getAccountType();
diff --git a/src/main/java/com/gitblit/auth/SalesforceAuthProvider.java b/src/main/java/com/gitblit/auth/SalesforceAuthProvider.java
index df033c27a..79c3a0c47 100644
--- a/src/main/java/com/gitblit/auth/SalesforceAuthProvider.java
+++ b/src/main/java/com/gitblit/auth/SalesforceAuthProvider.java
@@ -66,7 +66,7 @@ public UserModel authenticate(String username, char[] password) {
 					user = new UserModel(simpleUsername);
 				}
 
-				setCookie(user, password);
+				setCookie(user);
 				setUserAttributes(user, info);
 
 				updateUser(user);
diff --git a/src/main/java/com/gitblit/auth/WindowsAuthProvider.java b/src/main/java/com/gitblit/auth/WindowsAuthProvider.java
index aee51008a..4c31fb15b 100644
--- a/src/main/java/com/gitblit/auth/WindowsAuthProvider.java
+++ b/src/main/java/com/gitblit/auth/WindowsAuthProvider.java
@@ -153,7 +153,7 @@ public UserModel authenticate(String username, char[] password) {
         }
 
         // create a user cookie
-        setCookie(user, password);
+        setCookie(user);
 
         // update user attributes from Windows identity
         user.accountType = getAccountType();

From aac3f1c2c6dec400d9767fa3b86f01bd65f72c50 Mon Sep 17 00:00:00 2001
From: Rodrigo Andrade <rodrigo_cardoso@hotmail.it>
Date: Mon, 25 Apr 2016 19:11:27 -0300
Subject: [PATCH 3/3] removing password from user cookie #1063

---
 src/main/java/com/gitblit/ConfigUserService.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/gitblit/ConfigUserService.java b/src/main/java/com/gitblit/ConfigUserService.java
index 6d7230f71..6511f0236 100644
--- a/src/main/java/com/gitblit/ConfigUserService.java
+++ b/src/main/java/com/gitblit/ConfigUserService.java
@@ -897,8 +897,8 @@ protected synchronized void read() {
 					user.stateProvince = config.getString(USER, username, STATEPROVINCE);
 					user.countryCode = config.getString(USER, username, COUNTRYCODE);
 					user.cookie = config.getString(USER, username, COOKIE);
-					if (StringUtils.isEmpty(user.cookie) && !StringUtils.isEmpty(user.password)) {
-						user.cookie = StringUtils.getSHA1(user.username + user.password);
+					if (StringUtils.isEmpty(user.cookie)) {
+						user.cookie = StringUtils.getSHA1(user.username);
 					}
 
 					// preferences