Change in ovirt-engine[master]: webadmin, root: Prevent JSESSIONID cookie for root path

ecohen at redhat.com ecohen at redhat.com
Mon May 27 00:20:22 UTC 2013 

Einav Cohen has submitted this change and it was merged.

Change subject: webadmin,root: Prevent JSESSIONID cookie for root path
......................................................................


webadmin,root: Prevent JSESSIONID cookie for root path

Engine "root" web application containing various utility
servlets sets JSESSIONID cookie for / (root path) upon
following occasions:

  a. when requesting document file for a missing language,
     DocsServlet ensures HttpSession -> JSESSIONID cookie
     in order to read/store "langPageShown" attribute:
     "Show missing language page only for the first time"

  b. when processing any JSP page, since each JSP gets
     HttpSession -> JSESSIONID cookie created eagerly:
     - ovirt-engine.jsp (splash page)
     - no_lang.jsp (missing language page)

However, setting cookie X for path=/ essentially shadows
any other cookie(s) with same name (X) set for path=/foo

Consider following example:

  1. User visits WebAdmin:
     - new cookie JSESSIONID for path=/webadmin
     - WebAdmin JavaScript reads JSESSIONID cookie,
       correct value is returned

  2. User visits "root" web application:
     - new cookie JSESSIONID for path=/
     - WebAdmin JavaScript reads JSESSIONID cookie,
       wrong value is returned because there are two
       JSESSIONID cookies and path=/ takes precedence

This patch prevents "root" web application from using
JSESSIONID cookie (see occasions a. and b. above), which
prevents cookie shadowing for WebAdmin.

In future, we should consider using different "session"
cookie names for different web applications in order to
avoid such problems.

Change-Id: I3b4c95f0a716bf3cc05d102a1026b3c6aee5879c
Bug-Url: https://bugzilla.redhat.com/966525
Signed-off-by: Vojtech Szocs <vszocs at redhat.com>
---
M backend/manager/modules/root/src/main/java/org/ovirt/engine/core/DocsServlet.java
M backend/manager/modules/root/src/main/webapp/WEB-INF/help/no_lang.jsp
M backend/manager/modules/root/src/main/webapp/WEB-INF/ovirt-engine.jsp
3 files changed, 26 insertions(+), 5 deletions(-)

Approvals:
  Einav Cohen: Verified; Looks good to me, approved


--
To view, visit http://gerrit.ovirt.org/15057
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I3b4c95f0a716bf3cc05d102a1026b3c6aee5879c
Gerrit-PatchSet: 2
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Vojtech Szocs <vszocs at redhat.com>
Gerrit-Reviewer: Alexander Wels <awels at redhat.com>
Gerrit-Reviewer: Einav Cohen <ecohen at redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez at redhat.com>
Gerrit-Reviewer: Oved Ourfali <oourfali at redhat.com>
Gerrit-Reviewer: Vojtech Szocs <vszocs at redhat.com>

More information about the Engine-commits mailing list