use of org.zaproxy.zap.extension.httpsessions.HttpSessionTokensSet in project zaproxy by zaproxy.
the class CookieBasedSessionManagementHelper method processMessageToMatchSession.
/**
* Modifies a message so its Request Header/Body matches the web session provided.
*
* @param message the message
* @param requestCookies a pre-computed list with the request cookies (for optimization reasons)
* @param session the session
*/
public static void processMessageToMatchSession(HttpMessage message, List<HttpCookie> requestCookies, HttpSession session) {
// Make a copy of the session tokens set, as they will be modified
HttpSessionTokensSet tokensSet = session.getTokensNames();
// If no tokens exists create dummy Object -> NPE
if (tokensSet == null) {
tokensSet = new HttpSessionTokensSet();
}
Set<String> unsetSiteTokens = new LinkedHashSet<>(tokensSet.getTokensSet());
// Iterate through the cookies in the request
Iterator<HttpCookie> it = requestCookies.iterator();
while (it.hasNext()) {
HttpCookie cookie = it.next();
String cookieName = cookie.getName();
// If the cookie is a token
if (tokensSet.isSessionToken(cookieName)) {
String tokenValue = session.getTokenValue(cookieName);
if (log.isDebugEnabled())
log.debug("Changing value of token '" + cookieName + "' to: " + tokenValue);
// Change it's value to the one in the active session, if any
if (tokenValue != null) {
cookie.setValue(tokenValue);
} else // Or delete it, if the active session does not have a token value
{
it.remove();
}
// Remove the token from the token set so we know what tokens still have to be
// added
unsetSiteTokens.remove(cookieName);
}
}
// value
for (String token : unsetSiteTokens) {
String tokenValue = session.getTokenValue(token);
// Change it's value to the one in the active session, if any
if (tokenValue != null) {
if (log.isDebugEnabled())
log.debug("Adding token '" + token + " with value: " + tokenValue);
HttpCookie cookie = new HttpCookie(token, tokenValue);
requestCookies.add(cookie);
}
}
// Store the session in the HttpMessage for caching purpose
message.setHttpSession(session);
// Update the cookies in the message
message.getRequestHeader().setCookies(requestCookies);
}
Aggregations