Java Code Examples for javax.servlet.http.HttpServletRequest.isRequestedSessionIdFromCookie()

The following are Jave code examples for showing how to use isRequestedSessionIdFromCookie() of the javax.servlet.http.HttpServletRequest class. You can vote up the examples you like. Your votes will be used in our system to get more good examples.
+ Save this method
Example 1
Project: lams   File: IncludeTag.java   View Source Code Vote up 5 votes
/**
 *  Add a session id cookie if appropriate. Can be overloaded to
 *  support a cluster.
 * @param conn
 * @param urlString
 * @param request
 * @since Struts 1.2.0
 */
protected void addCookie(URLConnection conn, String urlString, HttpServletRequest request) {
    if ((conn instanceof HttpURLConnection)
        && urlString.startsWith(request.getContextPath())
        && (request.getRequestedSessionId() != null)
        && request.isRequestedSessionIdFromCookie()) {
        StringBuffer sb = new StringBuffer("JSESSIONID=");
        sb.append(request.getRequestedSessionId());
        conn.setRequestProperty("Cookie", sb.toString());
    }
}
 
Example 2
Project: parabuild-ci   File: Batch.java   View Source Code Vote up 5 votes
/**
 * Check that this request is not subject to a CSRF attack
 * @param request The original browser's request
 * @param sessionCookieName "JSESSIONID" unless it has been overridden
 */
private void checkNotCsrfAttack(HttpServletRequest request, String sessionCookieName)
{
    // A check to see that this isn't a csrf attack
    // http://en.wikipedia.org/wiki/Cross-site_request_forgery
    // http://www.tux.org/~peterw/csrf.txt
    if (request.isRequestedSessionIdValid() && request.isRequestedSessionIdFromCookie())
    {
        String headerSessionId = request.getRequestedSessionId();
        if (headerSessionId.length() > 0)
        {
            String bodySessionId = getHttpSessionId();

            // Normal case; if same session cookie is supplied by DWR and
            // in HTTP header then all is ok
            if (headerSessionId.equals(bodySessionId))
            {
                return;
            }

            // Weblogic adds creation time to the end of the incoming
            // session cookie string (even for request.getRequestedSessionId()).
            // Use the raw cookie instead
            Cookie[] cookies = request.getCookies();
            for (int i = 0; i < cookies.length; i++)
            {
                Cookie cookie = cookies[i];
                if (cookie.getName().equals(sessionCookieName) &&
                        cookie.getValue().equals(bodySessionId))
                {
                    return;
                }
            }

            // Otherwise error
            log.error("A request has been denied as a potential CSRF attack.");
            throw new SecurityException("Session Error");
        }
    }
}