HPCC-20557 Return special error for wrong esp session request

If a session enabled ESP was used and some web page is still open, the session timer may trig a session lock request to ESP even if the ESP has been switched to a session disabled ESP. In this fix, ESP will detect the problem and return an 'Action not support:...' error to the session timer. Also clear session cookies from ESP side. Signed-off-by: wangkx <kevin.wang@lexisnexis.com>
hpcc-systems · Sep 18, 2018 · e3fe16b · e3fe16b
1 parent 7a4dbdb
commit e3fe16b
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 1 deletion.
diff --git a/esp/bindings/http/platform/httpbinding.cpp b/esp/bindings/http/platform/httpbinding.cpp
@@ -266,6 +266,9 @@ EspHttpBinding::EspHttpBinding(IPropertyTree* tree, const char *bindname, const
     if(m_challenge_realm.length() == 0)
         m_challenge_realm.append("ESP");
 
+    //Even for non-session based environment, the sessionIDCookieName may be used to
+    //remove session related cookies cached in some browser page.
+    sessionIDCookieName.setf("%s%d", SESSION_ID_COOKIE, m_port);
     if (!m_secmgr.get() || !daliClientActive())
     {
         if (!daliClientActive())
@@ -336,7 +339,6 @@ void EspHttpBinding::setSDSSession()
         newAppSessionTree->setPropInt("@port", m_port);
     }
     sessionSDSPath.setf("%s/%s/", espSessionSDSPath.str(), appStr.str());
-    sessionIDCookieName.setf("%s%d", SESSION_ID_COOKIE, m_port);
 }
 
 static int compareLength(char const * const *l, char const * const *r) { return strlen(*l) - strlen(*r); }

diff --git a/esp/bindings/http/platform/httpservice.cpp b/esp/bindings/http/platform/httpservice.cpp
@@ -1033,6 +1033,46 @@ EspAuthState CEspHttpServer::preCheckAuth(EspAuthRequest& authReq)
             return authTaskDone;
         }
 
+        unsigned sessionID = readCookie(authReq.authBinding->querySessionIDCookieName());
+        if (sessionID > 0)
+        {
+            if (authReq.authBinding->getDomainAuthType() == AuthUserNameOnly)
+            {
+                clearCookie(authReq.authBinding->querySessionIDCookieName());
+                clearCookie(SESSION_ID_TEMP_COOKIE);
+                clearCookie(SESSION_TIMEOUT_COOKIE);
+            }
+            else
+                clearSessionCookies(authReq);
+
+            if (!authReq.serviceName.isEmpty() && strieq(authReq.serviceName.str(), "esp"))
+            {
+                const char* method = authReq.methodName.str();
+                if (!isEmptyString(method))
+                {
+                    if (strieq(method, "lock") || strieq(method, "unlock"))
+                    {
+                        VStringBuffer errMsg("Action not support: %s", method);
+                        sendLockResponse(strieq(method, "lock"), true, errMsg.str());
+                        return authTaskDone;
+                    }
+                    else if (strieq(method, "login") || strieq(method, "logout") || (strnicmp(method, "updatepassword", 14) == 0))
+                    {
+                        VStringBuffer errMsg("Action not support: %s", method);
+                        sendMessage(errMsg.str(), "text/html; charset=UTF-8");
+                        return authTaskDone;
+                    }
+                    else if (strieq(method, "get_session_timeout") || strieq(method, "reset_session_timeout"))
+                    {
+                        VStringBuffer errMsg("Action not support: %s", method);
+                        ESPSerializationFormat respFormat = m_request->queryContext()->getResponseFormat();
+                        sendMessage(errMsg.str(), (respFormat == ESPSerializationJSON) ? "application/json" : "text/xml");
+                        return authTaskDone;
+                    }
+                }
+            }
+        }
+
         if (authReq.authBinding->getDomainAuthType() == AuthUserNameOnly)
             return handleUserNameOnlyMode(authReq);
         return authSucceeded;
@@ -1790,6 +1830,16 @@ void CEspHttpServer::addCookie(const char* cookieName, const char *cookieValue,
     m_response->addCookie(cookie);
 }
 
+void CEspHttpServer::clearSessionCookies(EspAuthRequest& authReq)
+{
+    clearCookie(authReq.authBinding->querySessionIDCookieName());
+    clearCookie(SESSION_ID_TEMP_COOKIE);
+    clearCookie(SESSION_START_URL_COOKIE);
+    clearCookie(SESSION_AUTH_OK_COOKIE);
+    clearCookie(SESSION_AUTH_MSG_COOKIE);
+    clearCookie(SESSION_TIMEOUT_COOKIE);
+}
+
 void CEspHttpServer::clearCookie(const char* cookieName)
 {
     CEspCookie* cookie = new CEspCookie(cookieName, "");

diff --git a/esp/bindings/http/platform/httpservice.hpp b/esp/bindings/http/platform/httpservice.hpp
@@ -91,6 +91,7 @@ class CEspHttpServer : implements IHttpServerService, public CInterface
     void timeoutESPSessions(EspHttpBinding* authBinding, IPropertyTree* espSessions);
     void addCookie(const char* cookieName, const char *cookieValue, int maxAgeSec, bool httpOnly);
     void clearCookie(const char* cookieName);
+    void clearSessionCookies(EspAuthRequest& authReq);
     unsigned readCookie(const char* cookieName);
     const char* readCookie(const char* cookieName, StringBuffer& cookieValue);
     void sendLockResponse(bool lock, bool error, const char* msg);