ensure the session cookie value are being properly encoded

author lajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>

Tue, 28 Oct 2008 07:03:31 +0000 (07:03 +0000)

committer lajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>

Tue, 28 Oct 2008 07:03:31 +0000 (07:03 +0000)
author lajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 28 Oct 2008 07:03:31 +0000 (07:03 +0000)
committer lajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 28 Oct 2008 07:03:31 +0000 (07:03 +0000)
diff --git a/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java b/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java

index 21d9b68..847d2ad 100644 (file)
--- a/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java
+++ b/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java
@@ -45,6 +45,7 @@ import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
  import org.opensaml.saml2.core.AuthnContext;
  import org.opensaml.util.storage.ExpiringObject;
  import org.opensaml.util.storage.StorageService;
+import org.opensaml.ws.transport.http.HTTPTransportUtils;
  import org.opensaml.xml.util.Base64;
  import org.opensaml.xml.util.DatatypeHelper;
  import org.slf4j.Logger;
@@ -729,9 +730,11 @@ public class AuthenticationEngine extends HttpServlet {
          }
  
          LOG.debug("Adding IdP session cookie to HTTP response");
-        Cookie sessionCookie = new Cookie(IDP_SESSION_COOKIE_NAME, Base64.encodeBytes(remoteAddress,
-                Base64.DONT_BREAK_LINES)
-                + "|" + Base64.encodeBytes(sessionId, Base64.DONT_BREAK_LINES) + "|" + signature);
+        StringBuilder cookieValue = new StringBuilder();
+        cookieValue.append(Base64.encodeBytes(remoteAddress, Base64.DONT_BREAK_LINES)).append("|");
+        cookieValue.append(Base64.encodeBytes(sessionId, Base64.DONT_BREAK_LINES)).append("|");
+        cookieValue.append(signature);
+        Cookie sessionCookie = new Cookie(IDP_SESSION_COOKIE_NAME, HTTPTransportUtils.urlEncode(cookieValue.toString()));
  
          String contextPath = httpRequest.getContextPath();
          if (DatatypeHelper.isEmpty(contextPath)) {
diff --git a/src/main/java/edu/internet2/middleware/shibboleth/idp/session/IdPSessionFilter.java b/src/main/java/edu/internet2/middleware/shibboleth/idp/session/IdPSessionFilter.java

index a8e9ff9..3bbb3be 100644 (file)
--- a/src/main/java/edu/internet2/middleware/shibboleth/idp/session/IdPSessionFilter.java
+++ b/src/main/java/edu/internet2/middleware/shibboleth/idp/session/IdPSessionFilter.java
@@ -32,6 +32,7 @@ import javax.servlet.http.Cookie;
  import javax.servlet.http.HttpServletRequest;
  
  import org.joda.time.DateTime;
+import org.opensaml.ws.transport.http.HTTPTransportUtils;
  import org.opensaml.xml.util.Base64;
  import org.opensaml.xml.util.DatatypeHelper;
  import org.slf4j.Logger;
@@ -133,7 +134,7 @@ public class IdPSessionFilter implements Filter {
          // index 0: remote address
          // index 1: session ID
          // index 2: Base64(HMAC(index 0 + index 1))
-        String[] valueComponents = sessionCookie.getValue().split("\\|");
+        String[] valueComponents = HTTPTransportUtils.urlDecode(sessionCookie.getValue()).split("\\|");
          byte[] remoteAddressBytes = Base64.decode(valueComponents[0]);
          byte[] sessionIdBytes = Base64.decode(valueComponents[1]);
          byte[] signatureBytes = Base64.decode(valueComponents[2]);
author	lajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
	Tue, 28 Oct 2008 07:03:31 +0000 (07:03 +0000)
committer	lajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
	Tue, 28 Oct 2008 07:03:31 +0000 (07:03 +0000)
src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java		patch \| blob \| history
src/main/java/edu/internet2/middleware/shibboleth/idp/session/IdPSessionFilter.java		patch \| blob \| history