pr9856 option 2: check only if jsessionid is not null

weizhouapache · weizhouapache · commit e127a71c221e · 2024-10-28T09:50:11.000+01:00
diff --git a/utils/src/main/java/com/cloud/utils/HttpUtils.java b/utils/src/main/java/com/cloud/utils/HttpUtils.java
@@ -116,8 +116,8 @@ public static boolean validateSessionKey(final HttpSession session, final Map<St
             return false;
         }
         final String jsessionidFromCookie = HttpUtils.findCookie(cookies, "JSESSIONID");
-        if (jsessionidFromCookie == null
-                || !(jsessionidFromCookie.equals(session.getId()) || jsessionidFromCookie.startsWith(session.getId() + '.'))) {
+        if (jsessionidFromCookie != null
+                && !(jsessionidFromCookie.equals(session.getId()) || jsessionidFromCookie.startsWith(session.getId() + '.'))) {
             s_logger.error("JSESSIONID from cookie is invalid.");
             return false;
         }
diff --git a/utils/src/test/java/com/cloud/utils/HttpUtilsTest.java b/utils/src/test/java/com/cloud/utils/HttpUtilsTest.java
@@ -74,7 +74,7 @@ public void validateSessionKeyTest() {
         params = null;
         cookies = new Cookie[]{new Cookie(sessionKeyString, sessionKeyValue)};
         assertFalse(HttpUtils.validateSessionKey(session, params, cookies, "randomString", HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
-        assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
+        assertTrue(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
 
         // param null, cookies not null test (JSESSIONID is not null and matches)
         cookies = new Cookie[2];
@@ -95,7 +95,7 @@ public void validateSessionKeyTest() {
         cookies = null;
         assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
         params.put(sessionKeyString, new String[]{sessionKeyValue});
-        assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
+        assertTrue(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
 
         // both param and cookies not null test (JSESSIONID is null)
         params = new HashMap<String, Object[]>();
@@ -104,7 +104,7 @@ public void validateSessionKeyTest() {
         params.put(sessionKeyString, new String[]{"incorrectValue"});
         assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
         params.put(sessionKeyString, new String[]{sessionKeyValue});
-        assertFalse(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
+        assertTrue(HttpUtils.validateSessionKey(session, params, cookies, sessionKeyString, HttpUtils.ApiSessionKeyCheckOption.CookieOrParameter));
 
         // both param and cookies not null test (JSESSIONID is not null but mismatches)
         params = new HashMap<String, Object[]>();

Original file line number	Diff line number	Diff line change
`@@ -116,8 +116,8 @@ public static boolean validateSessionKey(final HttpSession session, final Map<St`
`116`	`116`	`return false;`
`117`	`117`	`}`
`118`	`118`	`final String jsessionidFromCookie = HttpUtils.findCookie(cookies, "JSESSIONID");`
`119`		`- if (jsessionidFromCookie == null`
`120`		`- \|\| !(jsessionidFromCookie.equals(session.getId()) \|\| jsessionidFromCookie.startsWith(session.getId() + '.'))) {`
	`119`	`+ if (jsessionidFromCookie != null`
	`120`	`+ && !(jsessionidFromCookie.equals(session.getId()) \|\| jsessionidFromCookie.startsWith(session.getId() + '.'))) {`
`121`	`121`	`s_logger.error("JSESSIONID from cookie is invalid.");`
`122`	`122`	`return false;`
`123`	`123`	`}`