From 68ae0d32ea896155e5b611d10c1663b674c3a220 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Fri, 23 May 2014 08:31:13 -0400
Subject: [PATCH] Merge branch 'ticket/84' into develop

---
 src/main/java/com/gitblit/wicket/pages/SessionPage.java |   30 ++++++++++++++++++++++++++++++
 1 files changed, 30 insertions(+), 0 deletions(-)

diff --git a/src/main/java/com/gitblit/wicket/pages/SessionPage.java b/src/main/java/com/gitblit/wicket/pages/SessionPage.java
index d2fcfa0..7a58175 100644
--- a/src/main/java/com/gitblit/wicket/pages/SessionPage.java
+++ b/src/main/java/com/gitblit/wicket/pages/SessionPage.java
@@ -16,6 +16,7 @@
 package com.gitblit.wicket.pages;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
 import org.apache.wicket.PageParameters;
 import org.apache.wicket.markup.html.WebPage;
@@ -24,6 +25,7 @@
 
 import com.gitblit.Keys;
 import com.gitblit.models.UserModel;
+import com.gitblit.utils.StringUtils;
 import com.gitblit.wicket.GitBlitWebApp;
 import com.gitblit.wicket.GitBlitWebSession;
 
@@ -53,6 +55,34 @@
 			// already have a session, refresh usermodel to pick up
 			// any changes to permissions or roles (issue-186)
 			UserModel user = app().users().getUserModel(session.getUser().username);
+
+			if (user == null || user.disabled) {
+				// user was deleted/disabled during session
+				HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())
+						.getHttpServletResponse();
+				app().authentication().logout(response, user);
+				session.setUser(null);
+				session.invalidateNow();
+				return;
+			}
+
+			// validate cookie during session (issue-361)
+			if (user != null && app().settings().getBoolean(Keys.web.allowCookieAuthentication, true)) {
+				HttpServletRequest request = ((WebRequest) getRequestCycle().getRequest())
+						.getHttpServletRequest();
+				String requestCookie = app().authentication().getCookie(request);
+				if (!StringUtils.isEmpty(requestCookie) && !StringUtils.isEmpty(user.cookie)) {
+					if (!requestCookie.equals(user.cookie)) {
+						// cookie was changed during our session
+						HttpServletResponse response = ((WebResponse) getRequestCycle().getResponse())
+								.getHttpServletResponse();
+						app().authentication().logout(response, user);
+						session.setUser(null);
+						session.invalidateNow();
+						return;
+					}
+				}
+			}
 			session.setUser(user);
 			return;
 		}

--
Gitblit v1.9.1