diff --git a/src/main/java/com/gitblit/ConfigUserService.java b/src/main/java/com/gitblit/ConfigUserService.java index 6d7230f71..025b1d8c0 100644 --- a/src/main/java/com/gitblit/ConfigUserService.java +++ b/src/main/java/com/gitblit/ConfigUserService.java @@ -898,7 +898,7 @@ protected synchronized void read() { user.countryCode = config.getString(USER, username, COUNTRYCODE); user.cookie = config.getString(USER, username, COOKIE); if (StringUtils.isEmpty(user.cookie) && !StringUtils.isEmpty(user.password)) { - user.cookie = StringUtils.getSHA1(user.username + user.password); + user.cookie = user.createCookie(); } // preferences diff --git a/src/main/java/com/gitblit/auth/AuthenticationProvider.java b/src/main/java/com/gitblit/auth/AuthenticationProvider.java index 0bfe23515..e359fd7e4 100644 --- a/src/main/java/com/gitblit/auth/AuthenticationProvider.java +++ b/src/main/java/com/gitblit/auth/AuthenticationProvider.java @@ -78,10 +78,10 @@ public String getServiceName() { public abstract AuthenticationType getAuthenticationType(); - protected void setCookie(UserModel user, char [] password) { + protected void setCookie(UserModel user) { // create a user cookie - if (StringUtils.isEmpty(user.cookie) && !ArrayUtils.isEmpty(password)) { - user.cookie = StringUtils.getSHA1(user.username + new String(password)); + if (StringUtils.isEmpty(user.cookie)) { + user.cookie = user.createCookie(); } } diff --git a/src/main/java/com/gitblit/auth/HtpasswdAuthProvider.java b/src/main/java/com/gitblit/auth/HtpasswdAuthProvider.java index 2cdabf6f8..3a6cb8ec1 100644 --- a/src/main/java/com/gitblit/auth/HtpasswdAuthProvider.java +++ b/src/main/java/com/gitblit/auth/HtpasswdAuthProvider.java @@ -196,7 +196,7 @@ else if (supportPlaintextPwd() && storedPwd.equals(passwd)){ } // create a user cookie - setCookie(user, password); + setCookie(user); // Set user attributes, hide password from backing user service. user.password = Constants.EXTERNAL_ACCOUNT; diff --git a/src/main/java/com/gitblit/auth/LdapAuthProvider.java b/src/main/java/com/gitblit/auth/LdapAuthProvider.java index cc772e7b4..b7efd4a04 100644 --- a/src/main/java/com/gitblit/auth/LdapAuthProvider.java +++ b/src/main/java/com/gitblit/auth/LdapAuthProvider.java @@ -360,7 +360,7 @@ public UserModel authenticate(String username, char[] password) { } // create a user cookie - setCookie(user, password); + setCookie(user); if (!supportsTeamMembershipChanges()) { getTeamsFromLdap(ldapConnection, simpleUsername, loggingInUser, user); diff --git a/src/main/java/com/gitblit/auth/PAMAuthProvider.java b/src/main/java/com/gitblit/auth/PAMAuthProvider.java index 46f4dd6a6..b38d49df9 100644 --- a/src/main/java/com/gitblit/auth/PAMAuthProvider.java +++ b/src/main/java/com/gitblit/auth/PAMAuthProvider.java @@ -122,7 +122,7 @@ public UserModel authenticate(String username, char[] password) { } // create a user cookie - setCookie(user, password); + setCookie(user); // update user attributes from UnixUser user.accountType = getAccountType(); diff --git a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java index 27cece299..364aff042 100644 --- a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java +++ b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java @@ -139,7 +139,7 @@ public UserModel authenticate(String username, char[] password) { } // create a user cookie - setCookie(user, password); + setCookie(user); // update user attributes from Redmine user.accountType = getAccountType(); diff --git a/src/main/java/com/gitblit/auth/SalesforceAuthProvider.java b/src/main/java/com/gitblit/auth/SalesforceAuthProvider.java index df033c27a..79c3a0c47 100644 --- a/src/main/java/com/gitblit/auth/SalesforceAuthProvider.java +++ b/src/main/java/com/gitblit/auth/SalesforceAuthProvider.java @@ -66,7 +66,7 @@ public UserModel authenticate(String username, char[] password) { user = new UserModel(simpleUsername); } - setCookie(user, password); + setCookie(user); setUserAttributes(user, info); updateUser(user); diff --git a/src/main/java/com/gitblit/auth/WindowsAuthProvider.java b/src/main/java/com/gitblit/auth/WindowsAuthProvider.java index aee51008a..4c31fb15b 100644 --- a/src/main/java/com/gitblit/auth/WindowsAuthProvider.java +++ b/src/main/java/com/gitblit/auth/WindowsAuthProvider.java @@ -153,7 +153,7 @@ public UserModel authenticate(String username, char[] password) { } // create a user cookie - setCookie(user, password); + setCookie(user); // update user attributes from Windows identity user.accountType = getAccountType(); diff --git a/src/main/java/com/gitblit/client/EditUserDialog.java b/src/main/java/com/gitblit/client/EditUserDialog.java index 676916b23..4b01ff046 100644 --- a/src/main/java/com/gitblit/client/EditUserDialog.java +++ b/src/main/java/com/gitblit/client/EditUserDialog.java @@ -330,7 +330,7 @@ private boolean validateFields() { } // change the cookie - user.cookie = StringUtils.getSHA1(user.username + password); + user.cookie = user.createCookie(); String type = settings.get(Keys.realm.passwordStorage).getString("md5"); if (type.equalsIgnoreCase("md5")) { diff --git a/src/main/java/com/gitblit/models/UserModel.java b/src/main/java/com/gitblit/models/UserModel.java index e15227482..edbdf028b 100644 --- a/src/main/java/com/gitblit/models/UserModel.java +++ b/src/main/java/com/gitblit/models/UserModel.java @@ -17,6 +17,7 @@ import java.io.Serializable; import java.security.Principal; +import java.security.SecureRandom; import java.util.ArrayList; import java.util.Collections; import java.util.HashSet; @@ -660,4 +661,11 @@ public boolean isMyPersonalRepository(String repository) { String projectPath = StringUtils.getFirstPathElement(repository); return !StringUtils.isEmpty(projectPath) && projectPath.equalsIgnoreCase(getPersonalPath()); } + + public String createCookie() { + SecureRandom random = new SecureRandom(); + byte[] values = new byte[20]; + random.nextBytes(values); + return StringUtils.getSHA1(String.valueOf(values)); + } } diff --git a/src/main/java/com/gitblit/wicket/pages/EditUserPage.java b/src/main/java/com/gitblit/wicket/pages/EditUserPage.java index 220bee3f6..72dee6b6d 100644 --- a/src/main/java/com/gitblit/wicket/pages/EditUserPage.java +++ b/src/main/java/com/gitblit/wicket/pages/EditUserPage.java @@ -156,7 +156,7 @@ protected void onSubmit() { } // change the cookie - userModel.cookie = StringUtils.getSHA1(userModel.username + password); + userModel.cookie = userModel.createCookie(); // Optionally store the password MD5 digest. String type = app().settings().getString(Keys.realm.passwordStorage, "md5");