Merge pull request #11778 from wangkx/h20441a

HPCC-20441 Return special exception for invalid session ID or IP

Reviewed-By: Gordon Smith <gordon.smith@lexisnexis.com>
Reviewed-By: Russ Whitehead <william.whitehead@lexisnexis.com>

esp/bindings/http/platform/httpservice.cpp

@@ -1306,6 +1306,39 @@ EspAuthState CEspHttpServer::authNewSession(EspAuthRequest& authReq, const char*
     return authSucceeded;
 }
 
+void CEspHttpServer::sendException(EspAuthRequest& authReq, unsigned code, const char* msg)
+{
+    if (authReq.isSoapPost) //from SOAP Test page
+    {
+        sendMessage(msg, "text/html; charset=UTF-8");
+        return;
+    }
+
+    StringBuffer resp;
+    ESPSerializationFormat format = m_request->queryContext()->getResponseFormat();
+    if (format == ESPSerializationJSON)
+    {
+        resp.set("{ ");
+        resp.append(" \"Exceptions\": { ");
+        resp.append(" \"Exception\": { ");
+        resp.appendf("\"Code\": \"%u\"", code);
+        if (!isEmptyString(msg))
+            resp.appendf(", \"Message\": \"%s\"", msg);
+        resp.append(" }");
+        resp.append(" }");
+        resp.append(" }");
+    }
+    else
+    {
+        resp.set("<Exceptions><Exception>");
+        resp.append("<Code>").append(code).append("</Code>");
+        if (!isEmptyString(msg))
+            resp.append("<Message>").append(msg).append("</Message>");
+        resp.append("</Exception></Exceptions>");
+    }
+    sendMessage(resp.str(), (format == ESPSerializationJSON) ? "application/json" : "text/xml");
+}
+
 void CEspHttpServer::sendAuthorizationMsg(EspAuthRequest& authReq)
 {
     StringBuffer resp;
@@ -1539,16 +1572,9 @@ EspAuthState CEspHttpServer::authExistingSession(EspAuthRequest& authReq, unsign
     if (!sessionTree)
     {
         authReq.ctx->setAuthStatus(AUTH_STATUS_FAIL);
-        ESPLOG(LogMin, "Authentication failed: session:<%u> not found", sessionID);
-
-        clearCookie(authReq.authBinding->querySessionIDCookieName());
-        clearCookie(SESSION_AUTH_OK_COOKIE);
-        ESPLOG(LogMin, "clearCookie() called for session <%u> ID cookie", sessionID);
-
-        if (authReq.isSoapPost) //from SOAP Test page
-            sendMessage("Session expired. Please close this page and login again.", "text/html; charset=UTF-8");
-        else
-            askUserLogin(authReq, "Authentication failed: invalid sessionID.");
+        clearSessionCookies(authReq);
+        sendException(authReq, 401, "Authentication failed: invalid session ID.");
+        ESPLOG(LogMin, "Authentication failed: invalid session ID '%u'. clearSessionCookies() called for the session.", sessionID);
         return authFailed;
     }
 
@@ -1557,8 +1583,9 @@ EspAuthState CEspHttpServer::authExistingSession(EspAuthRequest& authReq, unsign
     if (!streq(m_request->getPeer(peer).str(), sessionStartIP))
     {
         authReq.ctx->setAuthStatus(AUTH_STATUS_FAIL);
-        ESPLOG(LogMin, "Authentication failed: session:<%u> received from <%s>, not from <%s>", sessionID, peer.str(), sessionStartIP);
-        sendMessage("Invalid session.", "text/html; charset=UTF-8");
+        clearSessionCookies(authReq);
+        sendException(authReq, 401, "Authentication failed: network address for ESP session changed.");
+        ESPLOG(LogMin, "Authentication failed: session ID %u from IP %s. ", sessionID, peer.str());
         return authFailed;
     }
 

esp/bindings/http/platform/httpservice.hpp

@@ -99,6 +99,7 @@ protected:
     void sendGetAuthTypeResponse(EspAuthRequest& authReq, const char* authType);
     void createGetSessionTimeoutResponse(StringBuffer& resp, ESPSerializationFormat format, IPropertyTree* sessionTree);
     void resetSessionTimeout(EspAuthRequest& authReq, unsigned sessionID, StringBuffer& resp, ESPSerializationFormat format, IPropertyTree* sessionTree);
+    void sendException(EspAuthRequest& authReq, unsigned code, const char* msg);
     void sendMessage(const char* msg, const char* msgType);
     IRemoteConnection* getSDSConnection(const char* xpath, unsigned mode, unsigned timeout);