#25570 include in 23.01.7

dotCMS · Sep 8, 2023 · f2ca816 · f2ca816
1 parent 700491b
commit f2ca816
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 11 deletions.
diff --git a/docker/dotcms/ROOT/srv/00-config-defaults.sh b/docker/dotcms/ROOT/srv/00-config-defaults.sh
@@ -47,6 +47,7 @@ if [[ "${TOMCAT_REDIS_SESSION_ENABLED}" == 'true' ]]; then
   export TOMCAT_REDIS_MAX_IDLE_CONNECTIONS=${TOMCAT_REDIS_MAX_IDLE_CONNECTIONS:-"100"}
   export TOMCAT_REDIS_MIN_IDLE_CONNECTIONS=${TOMCAT_REDIS_MIN_IDLE_CONNECTIONS:-"32"}
   export TOMCAT_REDIS_ENABLED_FOR_ANON_TRAFFIC=${TOMCAT_REDIS_ENABLED_FOR_ANON_TRAFFIC:-"false"}
+  export TOMCAT_REDIS_UNDEFINED_SESSION_TYPE_TIMEOUT=${TOMCAT_REDIS_UNDEFINED_SESSION_TYPE_TIMEOUT:-"15"}
 fi
 
 

diff --git a/dotCMS/src/main/java/com/dotcms/cms/login/PreventSessionFixationUtil.java b/dotCMS/src/main/java/com/dotcms/cms/login/PreventSessionFixationUtil.java
@@ -2,6 +2,7 @@
 
 import com.dotmarketing.util.Config;
 import com.dotmarketing.util.Logger;
+import io.vavr.Lazy;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
@@ -10,11 +11,19 @@
 import java.util.Map;
 
 /**
- * Prevent the session fixation if the config property "PREVENT_SESSION_FIXATION_ON_LOGIN" is not in false.
+ * * Allows dotCMS to prevent security problems related to Session Fixation. This behavior is enabled by default, but can
+ *  * be disabled via the following configuration property: {@code PREVENT_SESSION_FIXATION_ON_LOGIN}.
+ *  * <p>This approach helps prevent situations in which a specific session ID is injected to a request, bypassing the
+ *  * expected authentication mechanisms. So, dotCMS can force the generation of a new session object after a successful
+ *  * login, which causes its ID to change.</p>
+ *  *
  * @author jsanca
  */
 public class PreventSessionFixationUtil {
 
+    private static final Lazy<Boolean> PREVENT_SESSION_FIXATION_ON_LOGIN = Lazy.of(() -> Config.getBooleanProperty(
+            "PREVENT_SESSION_FIXATION_ON_LOGIN", true));
+
     private PreventSessionFixationUtil() {
         // singleton
     }
@@ -28,22 +37,26 @@ public static PreventSessionFixationUtil getInstance () {
     }
 
     /**
-     * Gets the current session (if exists) invalidate it and them created a new one with a
-     * copy of the previous session attributes.
-     * @param request {@link HttpServletRequest}
-     * @param createSessionIfDoesNotExists {@link Boolean} if false and the session on the request.getSession(false) returns null (no session created) returns a null session,
-     *                                                    if true will create a new session if does not exists
-     * @return HttpSession
+     * Takes the current {@link HttpSession} from the HTTP Request (if it exists), invalidates it, and then returns a
+     * new session containing all the attributes from the original one.
+     *
+     * @param request                      The current {@link HttpServletRequest} instance.
+     * @param createSessionIfDoesNotExists If set to {@code true} and the current session is {@code null}, forces the
+     *                                     {@link HttpServletRequest} to create a new Session. Otherwise, a null session
+     *                                     is returned.
+     *
+     * @return HttpSession The brand-new session, or {@code null} if depending on the value of the
+     * {@code createSessionIfDoesNotExists} parameter.
      */
     public HttpSession preventSessionFixation(final HttpServletRequest request, final boolean createSessionIfDoesNotExists) {
 
         HttpSession session = request.getSession(false);
 
-        if(Config.getBooleanProperty("PREVENT_SESSION_FIXATION_ON_LOGIN", true)) {
+        if (PREVENT_SESSION_FIXATION_ON_LOGIN.get()) {
 
             Logger.debug(this, ()-> "Preventing the session fixation");
 
-            final Map<String, Object> sessionMap  = new HashMap<>();
+            final Map<String, Object> oldSessionMap  = new HashMap<>();
             final HttpSession oldSession          = session;
 
             if (null != oldSession) {
@@ -54,13 +67,14 @@ public HttpSession preventSessionFixation(final HttpServletRequest request, fina
 
                     final String key = keys.nextElement();
                     final Object value = oldSession.getAttribute(key);
-                    sessionMap.put(key, value);
+                    oldSessionMap.put(new String(key.toCharArray()), value);
                 }
+                final Map<String, Object> newSessionMap = Map.copyOf(oldSessionMap);
 
                 oldSession.invalidate();
 
                 final HttpSession newSession = request.getSession();
-                for (final Map.Entry<String, Object> entry : sessionMap.entrySet()) {
+                for (final Map.Entry<String, Object> entry : newSessionMap.entrySet()) {
                     newSession.setAttribute(entry.getKey(), entry.getValue());
                 }
 

diff --git a/hotfix_tracking.md b/hotfix_tracking.md
@@ -120,3 +120,4 @@ This maintenance release includes the following code fixes:
 
 97. https://github.com/dotCMS/core/issues/24294 : Implement Redisson Session sharing #24294
 98. https://github.com/dotCMS/core/issues/24990 : Punch List : Redis Session Manager #24990
+99. https://github.com/dotCMS/core/issues/25570 : Redis / Session-less testing and improvements #25570