Examples of org.apache.tomcat.core.ServerSession

• org.apache.tomcat.core.ServerSession
  Server representation of a Session. - recyclable - serializable ( by external components ) Components: - timestamp ( expire ) - id - name/value repository @author Craig R. McClanahan @author Jon S. Stevens @author Costin Manolache

      return 0;
  }

  int count=request.getCookies().getCookieCount();

  ServerSession sess=null;

  if( ! cookiesFirst  ) {
      // try the information from URL rewriting
      sessionId= request.getRequestedSessionId();
      sess=processSession( request, sessionId,

           String sessionId, String source )
    {
  BaseInterceptor reqI[]= request.getContainer().
      getInterceptors(Container.H_findSession);

  ServerSession sess=null;
  for( int i=0; i< reqI.length; i++ ) {
      sess=reqI[i].findSession( request,
              sessionId,  false );
      if( sess!=null ) break;
  }

        /* The following block of code verifies if Tomcat session matches
           SSL session (if one was ever passed to Tomcat). Just in case
           somebody is trying to steal Tomcat sessions over SSL.
           We can't verify that if SSL is not used. */

        // Do this only if request is over SSL
        if(checkSSLSessionId && sess != null && request.isSecure() ){
          // SSL session ID from session and request - they have to be equal!
          String ids=(String)sess.getAttribute("javax.servlet.session.ssl_session"),
                 idr=(String)request.getAttribute("javax.servlet.request.ssl_session");

          if(debug>0) cm.log("Request SSL ID="+idr+", Session SSL ID="+ids);

          if(idr != null){ // Only do this if there is an SSL session ID
            if(ids != null){ // Do we have a stored SSL session ID from before?
              if(!ids.equals(idr)){ // Is someone cheating?
                sess=null; // No sessions for thugs
                cm.log("SECURITY WARNING: SSL session "+idr+
                       " doesn't match Tomcat session "+sessionId+"!");
              }
            } else { // First time, save the SSL session ID
              sess.setAttribute("javax.servlet.session.ssl_session",idr);
            }
          } else { // Check requested but no SSL session ID, scream about it!
            cm.log("SECURITY WARNING: checkSSLSessionId requested, "+
                                     "but no SSL session ID available!");
          }
        }

  if (sess != null) {
      request.setRequestedSessionId( sessionId );
      request.setSessionIdSource( source );
      // since we verified this sessionID, we can also set
      // it and adjust the session
      request.setSession( sess );
      request.setSessionId( sessionId );

      sess.touch( System.currentTimeMillis() );

      // if the session was NEW ( never accessed - change it's state )
      if( sess.getState() == ServerSession.STATE_NEW ) {
    sess.setState( ServerSession.STATE_ACCESSED, request);
      }
  }
  return sess;
    }

      this.se=se;
      this.debug=debug;
  }

  public void expired(TimeStamp o ) {
      ServerSession sses=(ServerSession)o.getParent();
      if( debug > 0  ) {
    se.log( "Session expired " + sses);
      }
      sses.setState( ServerSession.STATE_EXPIRED );
      // After expiring it, we clean up.
      if( debug > 0 ) se.log( "Recycling " + sses);
      sses.recycle();
      sses.setState( ServerSession.STATE_INVALID );
  }

     *  Since this is not part of the spec, it's disabled by default.
     *
     */
    public int beforeBody( Request req, Response res ) {
  if( useSessionEncoding ) {
      ServerSession sess=req.getSession( false );
      if( sess!=null ) {
    String charset=res.getCharacterEncoding(false);
    if( charset!=null ) {
        sess.setNote( sessionEncodingNote, charset );
        if( debug > 0 )
      log( "Setting per session encoding " + charset);
    }
      }
  }

       + charset );
      }

      // Use session attributes
      if( charset==null && useSessionEncoding ) {
    ServerSession sess=req.getSession( false );
    if( sess!=null ) {
        charset=(String)sess.getNote( sessionEncodingNote );
        if( debug > 0 && charset!=null )
      log("Charset from session " + charset );
    }
      }

    }

    /** Create the Facade for session.
     */
    public HttpSession getSession(boolean create) {
  ServerSession realSession = (ServerSession)request.getSession(create);

  // No real session, return null
  if( realSession == null ) {
      sessionFacade=null;
      return null;
  }


  sessionFacade=(HttpSessionFacade)realSession.getFacade();
  if( sessionFacade==null ) {
      sessionFacade=new HttpSessionFacade();
      sessionFacade.setRealSession( realSession );
      realSession.setFacade( sessionFacade );
  }
        return sessionFacade;
    }

        return request.getRequestedSessionId();
    }

    public boolean isRequestedSessionIdValid() {
        boolean isvalid = false;
        ServerSession session = (ServerSession)request.getSession(false);
        if(session != null && session.getId().equals(getRequestedSessionId()))
            isvalid = true;

        return isvalid;
    }

  if (location.startsWith("#"))
      return (false);

        // Are we in a valid session that is not using cookies?
  Request request = response.getRequest();
  ServerSession session = request.getSession(false);
  if(session == null || !session.isValid())
      return false;
  // If the session is new, encode the URL
  if(!session.getTimeStamp().isNew() &&
    ((HttpServletRequestFacade)request.getFacade()).
      isRequestedSessionIdFromCookie())
      return false;

  // Is this a valid absolute URL?
  URL url = null;
  try {
      url = new URL(location);
  } catch (MalformedURLException e) {
      return (false);
  }
  // Does this URL match down to (and including) the context path?
  if (!request.scheme().equalsIgnoreCase(url.getProtocol()))
      return (false);
  if (!request.serverName().equalsIgnoreCase(url.getHost()))
      return (false);
        // Set the URL port to HTTP default if not available before comparing
        int urlPort = url.getPort();
        if (urlPort == -1) {
      if("http".equalsIgnoreCase(url.getProtocol())) {
    urlPort = 80;
      } else if ("https".equalsIgnoreCase(url.getProtocol())) {
    urlPort = 443;
            }
        }
  int serverPort = request.getServerPort();
  if (serverPort == -1)  // Work around bug in java.net.URL.getHost()
      serverPort = 80;
  if (serverPort != urlPort)
      return (false);
  String contextPath = request.getContext().getPath();
  if ((contextPath != null) && (contextPath.length() > 0)) {
      String file = url.getFile();
      if ((file == null) || !file.startsWith(contextPath))
    return (false);
      // XXX endsWith() ? However, that confilicts with
      // the ;charset= attribute.
      if(file.indexOf(";jsessionid=" + session.getId()) >= 0)
    return (false); // Already encoded
  }

  // This URL belongs to our web application, so it is encodeable
  return (true);