In FormAuthenticator: If it is configured to change Session IDs,

do the change before displaying the login form. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1408043 13f79535-47bb-0310-9956-ffa450edef68
apache · Nov 11, 2012 · 39c4263 · 39c4263
1 parent 8fea85c
commit 39c4263
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -28,6 +28,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.catalina.Manager;
 import org.apache.catalina.Realm;
 import org.apache.catalina.Session;
 import org.apache.catalina.connector.Request;
@@ -381,6 +382,15 @@ protected void forwardToLoginPage(Request request,
             return;
         }
 
+        if (getChangeSessionIdOnAuthentication()) {
+            Session session = request.getSessionInternal(false);
+            if (session != null) {
+                Manager manager = request.getContext().getManager();
+                manager.changeSessionId(session);
+                request.changeSessionId(session.getId());
+            }
+        }
+
         // Always use GET for the login page, regardless of the method used
         String oldMethod = request.getMethod();
         request.getCoyoteRequest().method().setString("GET");