Search in sources :

Example 1 with HttpSessionTokensSet

use of org.zaproxy.zap.extension.httpsessions.HttpSessionTokensSet in project zaproxy by zaproxy.

the class CookieBasedSessionManagementHelper method processMessageToMatchSession.

/**
	 * Modifies a message so its Request Header/Body matches the web session provided.
	 * 
	 * @param message the message
	 * @param requestCookies a pre-computed list with the request cookies (for optimization reasons)
	 * @param session the session
	 */
public static void processMessageToMatchSession(HttpMessage message, List<HttpCookie> requestCookies, HttpSession session) {
    // Make a copy of the session tokens set, as they will be modified
    HttpSessionTokensSet tokensSet = session.getTokensNames();
    // If no tokens exists create dummy Object -> NPE
    if (tokensSet == null) {
        tokensSet = new HttpSessionTokensSet();
    }
    Set<String> unsetSiteTokens = new LinkedHashSet<>(tokensSet.getTokensSet());
    // Iterate through the cookies in the request
    Iterator<HttpCookie> it = requestCookies.iterator();
    while (it.hasNext()) {
        HttpCookie cookie = it.next();
        String cookieName = cookie.getName();
        // If the cookie is a token
        if (tokensSet.isSessionToken(cookieName)) {
            String tokenValue = session.getTokenValue(cookieName);
            if (log.isDebugEnabled())
                log.debug("Changing value of token '" + cookieName + "' to: " + tokenValue);
            // Change it's value to the one in the active session, if any
            if (tokenValue != null) {
                cookie.setValue(tokenValue);
            } else // Or delete it, if the active session does not have a token value
            {
                it.remove();
            }
            // Remove the token from the token set so we know what tokens still have to be
            // added
            unsetSiteTokens.remove(cookieName);
        }
    }
    // value
    for (String token : unsetSiteTokens) {
        String tokenValue = session.getTokenValue(token);
        // Change it's value to the one in the active session, if any
        if (tokenValue != null) {
            if (log.isDebugEnabled())
                log.debug("Adding token '" + token + " with value: " + tokenValue);
            HttpCookie cookie = new HttpCookie(token, tokenValue);
            requestCookies.add(cookie);
        }
    }
    // Store the session in the HttpMessage for caching purpose
    message.setHttpSession(session);
    // Update the cookies in the message
    message.getRequestHeader().setCookies(requestCookies);
}
Also used : LinkedHashSet(java.util.LinkedHashSet) HttpSessionTokensSet(org.zaproxy.zap.extension.httpsessions.HttpSessionTokensSet) HttpCookie(java.net.HttpCookie)

Aggregations

HttpCookie (java.net.HttpCookie)1 LinkedHashSet (java.util.LinkedHashSet)1 HttpSessionTokensSet (org.zaproxy.zap.extension.httpsessions.HttpSessionTokensSet)1