Security prevent sessionId from being send to the client

(cherry picked from commit b74bd32)
businesscode · May 16, 2017 · bb7d4d4 · bb7d4d4
1 parent d95d8c7
commit bb7d4d4
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 6 deletions.
diff --git a/Client/src/js/bcdui.js b/Client/src/js/bcdui.js
@@ -266,8 +266,7 @@ jQuery.extend( bcdui,
            * @private
            */
           BCDAppender.prototype._getDetailMessage = function() {
-            var msg = bcdui.config.sessionId;
-            msg += "\n" + new Date().toISOString();
+            var msg = "\n" + new Date().toISOString();
             msg += "\n" + navigator.userAgent;
             msg += "\n\n" + location.href;
             msg += "\n\n" + this.bufferedMessage;

diff --git a/Server/src/main/java/de/businesscode/bcdui/web/accessLogging/RequestHashGenerator.java b/Server/src/main/java/de/businesscode/bcdui/web/accessLogging/RequestHashGenerator.java
@@ -31,7 +31,7 @@ public static String generateHash(HttpServletRequest request) {
     String addOn = request.getSession(false) != null ? request.getSession(false).getId() : "-";
     String url = request.getHeader("Referer");
     if (url == null)
-      return addOn;
+      return new Integer(addOn.hashCode()).toString(); // Here we avoid sharing sessionid information with the client
     int x = url.indexOf("//");
     url = x != -1 ? url.substring(x + 2) : url;
     int y = url.indexOf("/");

diff --git a/Server/src/main/java/de/businesscode/bcdui/web/servlets/BCDUIConfig.java b/Server/src/main/java/de/businesscode/bcdui/web/servlets/BCDUIConfig.java
@@ -73,16 +73,13 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
       properties.load(new FileInputStream(propFile));
 
     boolean isDebug = ServletUtils.getInstance().isFeDebug(request);
-    String sessionId = (request != null && request.getSession(false) != null ? request.getSession(false).getId() : "");
 
     PrintWriter writer = new PrintWriter(response.getWriter());
     writer.println("var bcdui = bcdui || {};");
     writer.println("bcdui.core = bcdui.core || {};");
     writer.println("bcdui.config = {");
     writeClientParams(writer);
     writer.println("    contextPath: \"" + getServletContext().getContextPath() + "\"");
-    // FIXME TODO drop sessionId from here and use sessionHash where appropriate.
-    writer.println("  , sessionId: \"" + sessionId + "\"");
 
     // write authenticate information
     try {
@@ -167,6 +164,7 @@ else if (!lastRight.equals(right)) {
     if( ! "true".equals( request.getParameter("bcduiConfigOnly") ) )
       writer.println("document.write(\"<script type='text/javascript' src='" + getServletContext().getContextPath() + "/bcdui/js/bcduiLoader.js'></script>\");");
 
+    String sessionId = (request != null && request.getSession(false) != null ? request.getSession(false).getId() : "");
     if( log.isDebugEnabled() )
       log.debug("PageHash "+pageHash+" for "+request.getHeader("Referer")+", "+sessionId);