Changed double cookie submission to use JSESSIONID, can be disabled, cleaned up.

svn changeset:5863/svn branch:trunk

2 files changed, 17 insertions, 11 deletions

diff --git a/src/com/itmill/toolkit/terminal/gwt/server/ApplicationServlet.java b/src/com/itmill/toolkit/terminal/gwt/server/ApplicationServlet.java
index 007843bef9..47d56f4cef 100644
--- a/src/com/itmill/toolkit/terminal/gwt/server/ApplicationServlet.java
+++ b/src/com/itmill/toolkit/terminal/gwt/server/ApplicationServlet.java
@@ -27,7 +27,6 @@ import java.util.Properties;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.ServletOutputStream;
-import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -44,7 +43,6 @@ import com.itmill.toolkit.terminal.ParameterHandler;
 import com.itmill.toolkit.terminal.Terminal;
 import com.itmill.toolkit.terminal.ThemeResource;
 import com.itmill.toolkit.terminal.URIHandler;
-import com.itmill.toolkit.terminal.gwt.client.ApplicationConnection;
 import com.itmill.toolkit.ui.Window;
 
 /**
@@ -531,7 +529,7 @@ public class ApplicationServlet extends HttpServlet {
 
         } catch (final GeneralSecurityException e) {
             // TODO handle differently?
-            // Invalid security key, show session expired message for now
+            // Invalid security key, show session expired message for now.
             try {
                 Application.SystemMessages ci = getSystemMessages();
                 if (!UIDLrequest) {
@@ -772,12 +770,6 @@ public class ApplicationServlet extends HttpServlet {
             HttpServletResponse response, Window window, String themeName,
             Application application) throws IOException, MalformedURLException {
 
-        // Security: double cookie submission pattern
-        Cookie secCookie = new Cookie(
-                ApplicationConnection.UIDL_SECURITY_COOKIE_NAME, request
-                        .getSession().getId());
-        response.addCookie(secCookie);
-
         // e.g portlets only want a html fragment
         boolean fragment = (request.getAttribute(REQUEST_FRAGMENT) != null);
         if (fragment) {
diff --git a/src/com/itmill/toolkit/terminal/gwt/server/CommunicationManager.java b/src/com/itmill/toolkit/terminal/gwt/server/CommunicationManager.java
index 56d4559f22..a9e397d2d2 100644
--- a/src/com/itmill/toolkit/terminal/gwt/server/CommunicationManager.java
+++ b/src/com/itmill/toolkit/terminal/gwt/server/CommunicationManager.java
@@ -593,8 +593,22 @@ public class CommunicationManager implements Paintable.RepaintRequestListener {
             // Manage bursts one by one
             final String[] bursts = changes.split(VAR_BURST_SEPARATOR);
 
-            // check security key (==sessionid, double cookie submission
-            if (!request.getSession().getId().equals(bursts[0])) {
+            boolean nocheck = "true".equals(application2
+                    .getProperty("disable-xsrf-protection"));
+            // Security: double cookie submission pattern
+            if (!nocheck && bursts.length == 1 && "undefined".equals(bursts[0])) {
+                // No seckey, but no variables: initial request
+                /*- don't set key, we're using JSESSIONID
+                Cookie secCookie = new Cookie(
+                        ApplicationConnection.UIDL_SECURITY_COOKIE_NAME,
+                        request.getSession().getId());
+                secCookie.setPath("/");
+                response.addCookie(secCookie);
+                -*/
+                return true;
+
+            } else if (!nocheck
+                    && !request.getSession().getId().equals(bursts[0])) {
                 throw new InvalidUIDLSecurityKeyException(
                         "Invalid UIDL security key");
             }