[SHIRO-678] only query parameters for sessionID if found
- getParameters() will also parse the body, which in turn decodes the content.
avoid calling this method unless we know the sessionID can be in the query part.
- getQueryString() can return null.
- refactor out one level of nesting
diff --git a/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java b/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java
index 9aa275a..4fd6a4e 100644
--- a/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java
+++ b/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java
@@ -130,11 +130,15 @@
//try the URI path segment parameters first:
id = getUriPathSegmentParamValue(request, ShiroHttpSession.DEFAULT_SESSION_ID_NAME);
- if (id == null) {
+ if (id == null && request instanceof HttpServletRequest) {
//not a URI path segment parameter, try the query parameters:
String name = getSessionIdName();
- id = request.getParameter(name);
- if (id == null) {
+ HttpServletRequest httpServletRequest = WebUtils.toHttp(request);
+ String queryString = httpServletRequest.getQueryString();
+ if (queryString != null && queryString.contains(name)) {
+ id = request.getParameter(name);
+ }
+ if (id == null && queryString != null && queryString.contains(name.toLowerCase())) {
//try lowercase:
id = request.getParameter(name.toLowerCase());
}
diff --git a/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy b/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy
index 35b3120..44a1449 100644
--- a/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy
+++ b/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy
@@ -158,6 +158,7 @@
expect(cookie.getName()).andReturn(ShiroHttpSession.DEFAULT_SESSION_ID_NAME);
expect(request.getRequestURI()).andReturn("/foo/bar?JSESSIONID=$id" as String)
+ expect(request.getQueryString()).andReturn("JSESSIONID=$id" as String)
expect(request.getParameter(ShiroHttpSession.DEFAULT_SESSION_ID_NAME)).andReturn(id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,
ShiroHttpServletRequest.URL_SESSION_ID_SOURCE);
@@ -193,8 +194,8 @@
String id = "12345";
expect(cookie.getName()).andReturn(ShiroHttpSession.DEFAULT_SESSION_ID_NAME);
- expect(request.getRequestURI()).andReturn("/foo/bar?JSESSIONID=$id" as String)
- expect(request.getParameter(ShiroHttpSession.DEFAULT_SESSION_ID_NAME)).andReturn(null);
+ expect(request.getRequestURI()).andReturn("/foo/bar?jsessionid=$id" as String)
+ expect(request.getQueryString()).andReturn("jsessionid=$id" as String)
expect(request.getParameter(ShiroHttpSession.DEFAULT_SESSION_ID_NAME.toLowerCase())).andReturn(id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,
ShiroHttpServletRequest.URL_SESSION_ID_SOURCE);