[#1521] session cookie without '-' throws 500

playframework · May 11, 2012 · 99b41fe · 99b41fe
1 parent ab25dbc
commit 99b41fe
Showing 1 changed file with 12 additions and 9 deletions.
diff --git a/framework/src/play/mvc/Scope.java b/framework/src/play/mvc/Scope.java
@@ -182,15 +182,18 @@ static Session restore() {
 
                 if (cookie != null && Play.started && cookie.value != null && !cookie.value.trim().equals("")) {
                     String value = cookie.value;
-                    String sign = value.substring(0, value.indexOf("-"));
-                    String data = value.substring(value.indexOf("-") + 1);
-                    if (sign.equals(Crypto.sign(data, Play.secretKey.getBytes()))) {
-                        String sessionData = URLDecoder.decode(data, "utf-8");
-                        Matcher matcher = sessionParser.matcher(sessionData);
-                        while (matcher.find()) {
-                            session.put(matcher.group(1), matcher.group(2));
-                        }
-                    }
+				 	int firstDashIndex = value.indexOf("-");
+				    if(firstDashIndex > -1) {
+                    	String sign = value.substring(0, firstDashIndex);
+                    	String data = value.substring(firstDashIndex + 1);
+                    	if (sign.equals(Crypto.sign(data, Play.secretKey.getBytes()))) {
+                        	String sessionData = URLDecoder.decode(data, "utf-8");
+                        	Matcher matcher = sessionParser.matcher(sessionData);
+                        	while (matcher.find()) {
+                            	session.put(matcher.group(1), matcher.group(2));
+                        	}
+                    	}
+					} 
                     if (COOKIE_EXPIRE != null) {
                         // Verify that the session contains a timestamp, and that it's not expired
 					    if (!session.contains(TS_KEY)) {