From ec7ed84b04cd3981ae01b104bd52fc010f31e6a7 Mon Sep 17 00:00:00 2001 From: James Moger Date: Thu, 25 Sep 2014 09:06:39 -0400 Subject: Restrict Gitblit cookie to the context path --- src/main/java/com/gitblit/wicket/pages/SessionPage.java | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'src/main/java/com/gitblit/wicket/pages/SessionPage.java') diff --git a/src/main/java/com/gitblit/wicket/pages/SessionPage.java b/src/main/java/com/gitblit/wicket/pages/SessionPage.java index 7a58175f..7717854b 100644 --- a/src/main/java/com/gitblit/wicket/pages/SessionPage.java +++ b/src/main/java/com/gitblit/wicket/pages/SessionPage.java @@ -58,9 +58,11 @@ public abstract class SessionPage extends WebPage { if (user == null || user.disabled) { // user was deleted/disabled during session + HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest()) + .getHttpServletRequest(); HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse()) .getHttpServletResponse(); - app().authentication().logout(response, user); + app().authentication().logout(request, response, user); session.setUser(null); session.invalidateNow(); return; @@ -76,7 +78,7 @@ public abstract class SessionPage extends WebPage { // cookie was changed during our session HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse()) .getHttpServletResponse(); - app().authentication().logout(response, user); + app().authentication().logout(request, response, user); session.setUser(null); session.invalidateNow(); return; @@ -99,8 +101,10 @@ public abstract class SessionPage extends WebPage { session.setUser(user); // Set Cookie + WebRequest request = (WebRequest) getRequestCycle().getRequest(); WebResponse response = (WebResponse) getRequestCycle().getResponse(); - app().authentication().setCookie(response.getHttpServletResponse(), user); + app().authentication().setCookie(request.getHttpServletRequest(), + response.getHttpServletResponse(), user); session.continueRequest(); } -- cgit v1.2.3