Do not rely on cookie path for session riding
Change-Id: Ib285a797485ec3180cb9dad0ade556078456073c
diff --git a/Changes b/Changes
index f91d5d9..7b57cfb 100644
--- a/Changes
+++ b/Changes
@@ -2,6 +2,7 @@
- Change default api port to 443.
- Update dependency of logback-classic.
- Add warning regarding protected data.
+ - Do not rely on cookie path for session riding.
This fixes a security issue! Please update!
diff --git a/src/main/java/de/ids_mannheim/korap/plkexport/Service.java b/src/main/java/de/ids_mannheim/korap/plkexport/Service.java
index 2e3deb0..cad662b 100644
--- a/src/main/java/de/ids_mannheim/korap/plkexport/Service.java
+++ b/src/main/java/de/ids_mannheim/korap/plkexport/Service.java
@@ -634,19 +634,19 @@
if (cookies == null)
return "";
- String cookiePath = prop.getProperty("cookie.path", "");
+ String cookieName = prop.getProperty("cookie.name", "");
// Iterate through all cookies for a Kalamar session
for (int i = 0; i < cookies.length; i++) {
- // Check the valid path (often path is not set when sent)
- if (cookiePath != "" && cookies[i].getPath() != "" &&
- cookies[i].getPath() != cookiePath)
+ // Check the valid name and ignore irrelevant cookies
+ if (cookieName == "") {
+ if (!cookies[i].getName().equals("kalamar")) {
+ continue;
+ }
+ } else if (!cookies[i].getName().equals(cookieName)) {
continue;
-
- // Ignore irrelevant cookies
- if (!cookies[i].getName().matches("^kalamar(-.+?)?$"))
- continue;
+ };
// Get the value
String b64 = cookies[i].getValue();