/** * Checks to see whether we are logged in. * * @param kkAppEng The KonaKart client engine instance * @param forwardAfterLogin tells us which page to forward to after login. * @param request * @param response * @param checkXSRF * @param xsrfToken * @return Returns the CustomerId if logged in. Otherwise a negative number. * @throws KKException * @throws KKAppException */ protected int loggedIn( HttpServletRequest request, HttpServletResponse response, KKAppEng kkAppEng, String forwardAfterLogin, boolean checkXSRF, String xsrfToken) throws KKException, KKAppException { // If the session is null, set the forward and return a negative number. if ((kkAppEng.getSessionId() == null)) { if (forwardAfterLogin != null) { kkAppEng.setForwardAfterLogin(forwardAfterLogin); } return -1; } // If an exception is thrown, set the forward and return it int custId; try { custId = kkAppEng.getEng().checkSession(kkAppEng.getSessionId()); } catch (KKException e) { log.debug(e.getMessage()); if (forwardAfterLogin != null) { kkAppEng.setForwardAfterLogin(forwardAfterLogin); } kkAppEng.getCustomerMgr().logout(); // Ensure that the guest customer is the one in the cookie manageCookieLogout(request, response, kkAppEng); return -1; } // Check the XSRF token for a post. Don't check anything we are redirected to after a login // since the token wasn't available at the time of the post if (kkAppEng.getXsrfToken() != null && checkXSRF && !request.getServletPath().contains("LoginSubmit")) { String method = request.getMethod(); if (method != null && method.equalsIgnoreCase("POST")) { String token = (xsrfToken != null) ? xsrfToken : request.getParameter("xsrf_token"); if (token == null || !token.equals(kkAppEng.getXsrfToken())) { log.warn("Possible XSRF attack for customer with id = " + custId); return -1; } } } // At this point we return a valid customer Id return custId; }