MCPcopy Index your code
hub / github.com/OWASP/SecurityShepherd / validateAdminSession

Method validateAdminSession

src/main/java/utils/Validate.java:215–256  ·  view source on GitHub ↗

Session is checked for credentials and ensures that they have not been modified and that they are valid for an administrator @param ses HttpSession from users browser @return Boolean value that reflects the validity of the admins session

(HttpSession ses)

Source from the content-addressed store, hash-verified

213 * @return Boolean value that reflects the validity of the admins session
214 */
215 public static boolean validateAdminSession(HttpSession ses)
216 {
217 boolean result = false;
218 String userName = new String();
219 if (ses == null)
220 {
221 log.debug("No Session Found");
222 }
223 else
224 {
225 if (ses.getAttribute("logout") != null)
226 {
227 log.debug("Logout Attribute Found: Invalidating session...");
228 ses.invalidate(); // make servlet engine forget the session
229 }
230 else
231 {
232 //log.debug("Active Session Found");
233 if (ses.getAttribute("userRole") != null && ses.getAttribute("userName") != null)
234 {
235 try
236 {
237 userName = (String) ses.getAttribute("userName");
238 //log.debug("Session holder is " + userName);
239 String role = (String) ses.getAttribute("userRole");
240 result = (role.compareTo("admin") == 0);
241 if(!result)
242 log.fatal("User " + userName + " Attempting Admin functions! (CSRF Tokens Not Checked)");
243 }
244 catch (Exception e)
245 {
246 log.fatal("Tampered Parameter Detected!!! Could not parameters");
247 }
248 }
249 else
250 {
251 log.debug("Session has no credentials");
252 }
253 }
254 }
255 return result;
256 }
257
258 /**
259 * Session is checked for credentials and ensures that they have not been modified and that they are valid for an administrator. This function also validates CSRF tokens

Callers 15

doGetMethod · 0.95
doGetMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95
doPostMethod · 0.95

Calls 1

validateTokensMethod · 0.95

Tested by

no test coverage detected