Feature #7598 » 0002-Initial-weakSessionId-support-for-WResource.patch
| src/Wt/WApplication.C | ||
|---|---|---|
|
static unsigned long seq = 0;
|
||
|
if (resource->internalPath().empty())
|
||
|
return session_->mostRelativeUrl(fn)
|
||
|
return session_->mostRelativeUrl(fn, WebSession::SessionOption::UseWeakSessionId)
|
||
|
+ "&request=resource&resource=" + Utils::urlEncode(resource->id())
|
||
|
+ "&rand=" + std::to_string(seq++);
|
||
|
else {
|
||
| src/web/WebSession.C | ||
|---|---|---|
|
return;
|
||
|
}
|
||
|
bool weakSession = (wtdE && *wtdE == weakSessionId_);
|
||
|
if (weakSession && !requestForResource) {
|
||
|
LOG_SECURE("Received request from weakSessionId that is not for a resource");
|
||
|
serveError(403, handler, "Forbidden");
|
||
|
return;
|
||
|
}
|
||
|
/*
|
||
|
* Under what circumstances do we allow a request which does not have
|
||
|
* a session ID (i.e. who as it only through a cookie?)
|
||
| ... | ... | |
|
*
|
||
|
* in other cases: discard the request
|
||
|
*/
|
||
|
if ((!wtdE || (*wtdE != sessionId_))
|
||
|
if ((!wtdE || (*wtdE != sessionId_ && !weakSession))
|
||
|
&& state_ != State::JustCreated
|
||
|
&& (requestE && (*requestE == "jsupdate" ||
|
||
|
*requestE == "jserror" ||
|
||
|
*requestE == "resource"))) {
|
||
|
LOG_DEBUG("CSRF: " << (wtdE ? *wtdE : "no wtd") << " != " << sessionId_ <<
|
||
|
", requestE: " << (requestE ? *requestE : "none"));
|
||
|
LOG_DEBUG("CSRF: " << (wtdE ? *wtdE : "no wtd") << " != (" << sessionId_ <<
|
||
|
"or weakSessionId " << weakSessionId_ <<
|
||
|
"), requestE: " << (requestE ? *requestE : "none"));
|
||
|
LOG_SECURE("CSRF prevention kicked in.");
|
||
|
serveError(403, handler, "Forbidden");
|
||
|
} else
|
||