Session is checked for credentials and ensures that they have not been modified and that they are valid for an administrator @param ses HttpSession from users browser @return Boolean value that reflects the validity of the admins session
(HttpSession ses)
| 213 | * @return Boolean value that reflects the validity of the admins session |
| 214 | */ |
| 215 | public static boolean validateAdminSession(HttpSession ses) |
| 216 | { |
| 217 | boolean result = false; |
| 218 | String userName = new String(); |
| 219 | if (ses == null) |
| 220 | { |
| 221 | log.debug("No Session Found"); |
| 222 | } |
| 223 | else |
| 224 | { |
| 225 | if (ses.getAttribute("logout") != null) |
| 226 | { |
| 227 | log.debug("Logout Attribute Found: Invalidating session..."); |
| 228 | ses.invalidate(); // make servlet engine forget the session |
| 229 | } |
| 230 | else |
| 231 | { |
| 232 | //log.debug("Active Session Found"); |
| 233 | if (ses.getAttribute("userRole") != null && ses.getAttribute("userName") != null) |
| 234 | { |
| 235 | try |
| 236 | { |
| 237 | userName = (String) ses.getAttribute("userName"); |
| 238 | //log.debug("Session holder is " + userName); |
| 239 | String role = (String) ses.getAttribute("userRole"); |
| 240 | result = (role.compareTo("admin") == 0); |
| 241 | if(!result) |
| 242 | log.fatal("User " + userName + " Attempting Admin functions! (CSRF Tokens Not Checked)"); |
| 243 | } |
| 244 | catch (Exception e) |
| 245 | { |
| 246 | log.fatal("Tampered Parameter Detected!!! Could not parameters"); |
| 247 | } |
| 248 | } |
| 249 | else |
| 250 | { |
| 251 | log.debug("Session has no credentials"); |
| 252 | } |
| 253 | } |
| 254 | } |
| 255 | return result; |
| 256 | } |
| 257 | |
| 258 | /** |
| 259 | * Session is checked for credentials and ensures that they have not been modified and that they are valid for an administrator. This function also validates CSRF tokens |
no test coverage detected