From 3930d00de4e90ae02a9b4370796527296d3fb967 Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Fri, 25 Oct 2024 13:46:20 +0200
Subject: [PATCH 1/2] utils: fix invalid JSESSIONID cookie in https setup

When enable.secure.session.cookie is set to true, use cannot login with error
```
    2024-10-25T09:03:33,898 DEBUG [c.c.u.HttpUtils] (qtp384617262-21:[ctx-a3ee3670]) (logid:7c5bfd8d) jsessionidFromCookie = node017ygldpe44nub1frmqafsj0qmc18
    2024-10-25T09:03:33,898 DEBUG [c.c.u.HttpUtils] (qtp384617262-21:[ctx-a3ee3670]) (logid:7c5bfd8d) session.getId() = node017ygldpe44nub1frmqafsj0qmc18
    2024-10-25T09:03:33,898 ERROR [c.c.u.HttpUtils] (qtp384617262-21:[ctx-a3ee3670]) (logid:7c5bfd8d) JSESSIONID from cookie is invalid.
```
---
 utils/src/main/java/com/cloud/utils/HttpUtils.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/src/main/java/com/cloud/utils/HttpUtils.java b/utils/src/main/java/com/cloud/utils/HttpUtils.java
index cc97bf4ba151..32d5a19e8437 100644
--- a/utils/src/main/java/com/cloud/utils/HttpUtils.java
+++ b/utils/src/main/java/com/cloud/utils/HttpUtils.java
@@ -117,7 +117,7 @@ public static boolean validateSessionKey(final HttpSession session, final Map<St
         }
         final String jsessionidFromCookie = HttpUtils.findCookie(cookies, "JSESSIONID");
         if (jsessionidFromCookie == null
-                || !(jsessionidFromCookie.startsWith(session.getId() + '.'))) {
+                || !(jsessionidFromCookie.equals(session.getId()) || jsessionidFromCookie.startsWith(session.getId() + '.'))) {
             s_logger.error("JSESSIONID from cookie is invalid.");
             return false;
         }

From e127a71c221e9e6cb70b1bcf7198593cbec11e38 Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Mon, 28 Oct 2024 09:50:11 +0100
Subject: [PATCH 2/2] pr9856 option 2: check only if jsessionid is not null

---
 utils/src/main/java/com/cloud/utils/HttpUtils.java     | 4 ++--
 utils/src/test/java/com/cloud/utils/HttpUtilsTest.java | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/utils/src/main/java/com/cloud/utils/HttpUtils.java b/utils/src/main/java/com/cloud/utils/HttpUtils.java
index 32d5a19e8437..2b2450dd31b9 100644
--- a/utils/src/main/java/com/cloud/utils/HttpUtils.java
+++ b/utils/src/main/java/com/cloud/utils/HttpUtils.java
@@ -116,8 +116,8 @@ public static boolean validateSessionKey(final HttpSession session, final Map<St
             return false;
         }
         final String jsessionidFromCookie = HttpUtils.findCookie(cookies, "JSESSIONID");
-        if (jsessionidFromCookie == null
-                || !(jsessionidFromCookie.equals(session.getId()) || jsessionidFromCookie.startsWith(session.getId() + '.'))) {
+        if (jsessionidFromCookie != null
+                && !(jsessionidFromCookie.equals(session.getId()) || jsessionidFromCookie.startsWith(session.getId() + '.'))) {
             s_logger.error("JSESSIONID from cookie is invalid.");
             return false;
         }
diff --git a/utils/src/test/java/com/cloud/utils/HttpUtilsTest.java b/utils/src/test/java/com/cloud/utils/HttpUtilsTest.java
index e94724ce3d63..9047934c75c5 100644
--- a/utils/src/test/java/com/cloud/utils/HttpUtilsTest.java
+++ b/utils/src/test/java/com/cloud/utils/HttpUtilsTest.java
@@ -74,7 +74,7 @@ public void validateSessionKeyTest() {
         params = null;
         cookies = new Cookie[]{new Cookie(sessionKeyString, sessionKeyValue)};
         assertFalse(HttpUtils.validateSessionKey(session, params, cookies, "randomString", HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
-        assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
+        assertTrue(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
 
         // param null, cookies not null test (JSESSIONID is not null and matches)
         cookies = new Cookie[2];
@@ -95,7 +95,7 @@ public void validateSessionKeyTest() {
         cookies = null;
         assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
         params.put(sessionKeyString, new String[]{sessionKeyValue});
-        assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
+        assertTrue(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
 
         // both param and cookies not null test (JSESSIONID is null)
         params = new HashMap<String, Object[]>();
@@ -104,7 +104,7 @@ public void validateSessionKeyTest() {
         params.put(sessionKeyString, new String[]{"incorrectValue"});
         assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
         params.put(sessionKeyString, new String[]{sessionKeyValue});
-        assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
+        assertTrue(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
 
         // both param and cookies not null test (JSESSIONID is not null but mismatches)
         params = new HashMap<String, Object[]>();