From 39c42634909a70cc5ef1d414bb58efc01ddca055 Mon Sep 17 00:00:00 2001
From: Konstantin Kolinko <kkolinko@apache.org>
Date: Sun, 11 Nov 2012 16:25:18 +0000
Subject: [PATCH] In FormAuthenticator: If it is configured to change Session
 IDs, do the change before displaying the login form.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1408043 13f79535-47bb-0310-9956-ffa450edef68
---
 .../catalina/authenticator/FormAuthenticator.java      | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 03b65a740869..43978fb55e9b 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -28,6 +28,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.catalina.Manager;
 import org.apache.catalina.Realm;
 import org.apache.catalina.Session;
 import org.apache.catalina.connector.Request;
@@ -381,6 +382,15 @@ protected void forwardToLoginPage(Request request,
             return;
         }
 
+        if (getChangeSessionIdOnAuthentication()) {
+            Session session = request.getSessionInternal(false);
+            if (session != null) {
+                Manager manager = request.getContext().getManager();
+                manager.changeSessionId(session);
+                request.changeSessionId(session.getId());
+            }
+        }
+
         // Always use GET for the login page, regardless of the method used
         String oldMethod = request.getMethod();
         request.getCoyoteRequest().method().setString("GET");