Java Code Examples for javax.servlet.http.HttpServletRequest.isRequestedSessionIdValid()

The following are Jave code examples for showing how to use isRequestedSessionIdValid() of the javax.servlet.http.HttpServletRequest class. You can vote up the examples you like. Your votes will be used in our system to get more good examples.
+ Save this method
Example 1
Project: parabuild-ci   File: DefaultAccessControl.java   View Source Code Vote up 6 votes
/**
 * Check the users session for validity
 * @param req The users request
 * @throws SecurityException if the users session is invalid
 */
protected void assertAuthenticationIsValid(HttpServletRequest req) throws SecurityException
{
    // ensure that at least the next call has a valid session
    req.getSession();

    // if there was an expired session, the request has to fail
    if (!req.isRequestedSessionIdValid())
    {
        throw new LoginRequiredException(Messages.getString("DefaultAccessControl.DeniedByInvalidSession"));
    }

    if (req.getRemoteUser() == null)
    {
        throw new LoginRequiredException(Messages.getString("DefaultAccessControl.DeniedByAuthenticationRequired"));
    }
}
 
Example 2
Project: parabuild-ci   File: Batch.java   View Source Code Vote up 5 votes
/**
 * Check that this request is not subject to a CSRF attack
 * @param request The original browser's request
 * @param sessionCookieName "JSESSIONID" unless it has been overridden
 */
private void checkNotCsrfAttack(HttpServletRequest request, String sessionCookieName)
{
    // A check to see that this isn't a csrf attack
    // http://en.wikipedia.org/wiki/Cross-site_request_forgery
    // http://www.tux.org/~peterw/csrf.txt
    if (request.isRequestedSessionIdValid() && request.isRequestedSessionIdFromCookie())
    {
        String headerSessionId = request.getRequestedSessionId();
        if (headerSessionId.length() > 0)
        {
            String bodySessionId = getHttpSessionId();

            // Normal case; if same session cookie is supplied by DWR and
            // in HTTP header then all is ok
            if (headerSessionId.equals(bodySessionId))
            {
                return;
            }

            // Weblogic adds creation time to the end of the incoming
            // session cookie string (even for request.getRequestedSessionId()).
            // Use the raw cookie instead
            Cookie[] cookies = request.getCookies();
            for (int i = 0; i < cookies.length; i++)
            {
                Cookie cookie = cookies[i];
                if (cookie.getName().equals(sessionCookieName) &&
                        cookie.getValue().equals(bodySessionId))
                {
                    return;
                }
            }

            // Otherwise error
            log.error("A request has been denied as a potential CSRF attack.");
            throw new SecurityException("Session Error");
        }
    }
}